fix(gateway): require shared auth before device bypass

src/gateway/test-helpers.mocks.ts

@@ -7,6 +7,7 @@ import { Mock, vi } from "vitest";
 import type { ChannelPlugin, ChannelOutboundAdapter } from "../channels/plugins/types.js";
 import type { AgentBinding } from "../config/types.agents.js";
 import type { HooksConfig } from "../config/types.hooks.js";
+import type { TailscaleWhoisIdentity } from "../infra/tailscale.js";
 import type { PluginRegistry } from "../plugins/registry.js";
 import { applyPluginAutoEnable } from "../config/plugin-auto-enable.js";
 import { setActivePluginRegistry } from "../plugins/runtime.js";
@@ -167,6 +168,7 @@ const hoisted = vi.hoisted(() => ({
     waitCalls: [] as string[],
     waitResults: new Map<string, boolean>(),
   },
+  testTailscaleWhois: { value: null as TailscaleWhoisIdentity | null },
   getReplyFromConfig: vi.fn().mockResolvedValue(undefined),
   sendWhatsAppMock: vi.fn().mockResolvedValue({ messageId: "msg-1", toJid: "jid-1" }),
 }));
@@ -196,6 +198,7 @@ export const setTestConfigRoot = (root: string) => {
 };
 
 export const testTailnetIPv4 = hoisted.testTailnetIPv4;
+export const testTailscaleWhois = hoisted.testTailscaleWhois;
 export const piSdkMock = hoisted.piSdkMock;
 export const cronIsolatedRun = hoisted.cronIsolatedRun;
 export const agentCommand: Mock<() => void> = hoisted.agentCommand;
@@ -258,6 +261,15 @@ vi.mock("../infra/tailnet.js", () => ({
   pickPrimaryTailnetIPv6: () => undefined,
 }));
 
+vi.mock("../infra/tailscale.js", async () => {
+  const actual =
+    await vi.importActual<typeof import("../infra/tailscale.js")>("../infra/tailscale.js");
+  return {
+    ...actual,
+    readTailscaleWhoisIdentity: async () => testTailscaleWhois.value,
+  };
+});
+
 vi.mock("../config/sessions.js", async () => {
   const actual =
     await vi.importActual<typeof import("../config/sessions.js")>("../config/sessions.js");