#22280: fix(gateway): silently auto-approve local paired-device scope upgrades

## Summary Fix local paired-device reconnect regressions where role/scope upgrades could return `pairing required` instead of silently proceeding. ## What changed - Gateway pairing decision now allows silent pairing for local upgrade paths only when there is an existing paired-device context. - Keeps silent behavior for `not-paired` local flow. - Adds an e2e regression test: `silently auto-approves local CLI scope upgrades`. ## Security rationale - Avoids trusting client-claimed `client.id` / `client.mode` for privileged silent behavior. - Uses gateway-observed locality plus existing paired-device context for upgrade silent path. ## Validation - Added targeted e2e test in `src/gateway/server.auth.e2e.test.ts`. - Verified behavior: - test fails without patch (`expected true, received false`) - test passes with patch ## Related issue - Closes #22279 <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixes local paired-device reconnect regression by allowing silent auto-approval for scope/role upgrades when a device is already paired and connecting locally. - Modified `requirePairing` function to accept `hasExistingPairing` parameter - Silent pairing now allowed for: `not-paired` reason OR when `hasExistingPairing=true` (both require `isLocalClient`) - All upgrade path calls (`role-upgrade`, `scope-upgrade`) now pass `hasExistingPairing=true` - Added e2e regression test verifying CLI scope upgrade (`operator.read` → `operator.admin`) succeeds silently for local connections - Security model preserved: relies on gateway-observed locality (`isLocalDirectRequest`) rather than client-claimed attributes <h3>Confidence Score: 5/5</h3> - Safe to merge with minimal risk - Fix is well-targeted with clear security rationale, comprehensive test coverage, and preserves existing security model by using server-validated locality rather than client claims - No files require special attention _{Last reviewed commit: d52bbde} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->