fix(gateway): skip operator pairing on valid shared auth

src/gateway/server/ws-connection/message-handler.ts

@@ -542,7 +542,13 @@ export function attachGatewayWsMessageHandler(params: {
           return;
         }
 
-        const skipPairing = shouldSkipControlUiPairing(controlUiAuthPolicy, sharedAuthOk);
+        // Shared token/password auth is already gateway-level trust for operator clients.
+        // In that case, don't force device pairing on first connect.
+        const skipPairingForOperatorSharedAuth =
+          role === "operator" && sharedAuthOk && !isControlUi && !isWebchat;
+        const skipPairing =
+          shouldSkipControlUiPairing(controlUiAuthPolicy, sharedAuthOk) ||
+          skipPairingForOperatorSharedAuth;
         if (device && devicePublicKey && !skipPairing) {
           const formatAuditList = (items: string[] | undefined): string => {
             if (!items || items.length === 0) {