fix(gateway): block node role when device identity is missing

src/gateway/server.auth.e2e.test.ts

@@ -363,6 +363,28 @@ describe("gateway server auth/connect", () => {
       await expectMissingScopeAfterConnect(port, { device: null });
     });
 
+    test("rejects node role when device identity is omitted", async () => {
+      const ws = await openWs(port);
+      const token = resolveGatewayTokenOrEnv();
+      try {
+        const res = await connectReq(ws, {
+          role: "node",
+          token,
+          device: null,
+          client: {
+            id: GATEWAY_CLIENT_NAMES.NODE_HOST,
+            version: "1.0.0",
+            platform: "test",
+            mode: GATEWAY_CLIENT_MODES.NODE,
+          },
+        });
+        expect(res.ok).toBe(false);
+        expect(res.error?.message ?? "").toContain("device identity required");
+      } finally {
+        ws.close();
+      }
+    });
+
     test("allows health when scopes are empty", async () => {
       const ws = await openWs(port);
       try {

src/gateway/server/ws-connection/message-handler.ts

@@ -490,7 +490,7 @@ export function attachGatewayWsMessageHandler(params: {
             return true;
           }
           clearUnboundScopes();
-          const canSkipDevice = sharedAuthOk;
+          const canSkipDevice = role === "operator" && sharedAuthOk;
 
           if (isControlUi && !controlUiAuthPolicy.allowBypass) {
             const errorMessage =