d83ea4883b
Addresses final gateway keystore gap: - move keystore injection outside the config.yaml existence branch so gateway/headless installs with only a keystore (and a stubbed .env) still receive credentials on import/startup - re-run keystore injection in the long-lived gateway credential refresh path so rotated keystore secrets can take effect without restart - fix keystore store methods to use short-lived sqlite connections instead of a persistent connection, avoiding database-locked failures during injectable secret reads from fresh processes - add gateway regression tests for startup without config.yaml and refresh- path reinjection of keystore-backed secrets Validation: targeted suite now 136 passing