feat(gateway): add MQTTS support with TLS and authentication

- Add TLS support via mqtt.Client.tls_set()
- Add username/password authentication
- Password loaded from MQTT_PASSWORD environment variable
- Username and TLS flag read from config.json

Assisted-by: Claude:claude-sonnet-4-6 — guidance on paho-mqtt TLS API
and environment variable pattern for secret management

gateway/gateway.py

@@ -19,10 +19,10 @@ class Gateway:
     """BLE advertising listener and MQTT publisher for Nordic Thingy:52 nodes."""
 
     # Advertising payload keys as defined in the firmware specification
-    KEY_WINDOW  = 0x01
+    KEY_WINDOW   = 0x01
     KEY_HUMIDITY = 0x02
-    KEY_TEMP    = 0x03
-    KEY_CO2     = 0x04
+    KEY_TEMP     = 0x03
+    KEY_CO2      = 0x04
 
     def __init__(self, config: dict):
         self.gateway_id  = config["gateway_id"]
@@ -39,6 +39,20 @@ class Gateway:
         self.mqttc = mqtt.Client(
             callback_api_version=mqtt.CallbackAPIVersion.VERSION2
         )
+
+        # Authentication — username from config, password from environment variable
+        username = config["mqtt"].get("username")
+        password = os.environ.get("MQTT_PASSWORD")
+        if username:
+            self.mqttc.username_pw_set(username, password)
+            log.info(f"MQTT authentication configured for user: {username}")
+
+        # TLS — enabled if specified in config
+        # Required for MQTTS connections (port 8883)
+        if config["mqtt"].get("tls", False):
+            self.mqttc.tls_set()
+            log.info("TLS enabled")
+
         self.mqttc.connect(self.mqtt_broker, self.mqtt_port)
         self.mqttc.loop_start()
         log.info("MQTT client connected")