#22081: [Bug]: Preserve approved scope baseline through token rotation

## Summary Fixes #22067. ### Problem `PairedDevice.scopes` was being used as the authorization baseline for scope-upgrade checks during reconnect. When a token is rotated with reduced scopes, that value could shrink and cause subsequent reconnects with previously granted scopes to return `pairing required`, even though the user had already approved a broader scope set. ### What changed - Added `approvedScopes?: string[]` to `PairedDevice` in `src/infra/device-pairing.ts`. - On pairing approval, initialize `approvedScopes` from the previously known scope set plus request scopes. - On `rotateDeviceToken`, preserve/expand `approvedScopes` independently from `scopes` so the live token scope can narrow without losing the approved ceiling. - Updated websocket scope-upgrade checks in `src/gateway/server/ws-connection/message-handler.ts` to evaluate upgrade permission against `paired.approvedScopes` when available, with fallback to legacy `paired.scopes`. - Added regression tests: - `src/infra/device-pairing.test.ts`: ensures approved scope baseline persists across multiple rotations. - `src/gateway/server.auth.e2e.test.ts`: reproduces rotate-downscope then reconnect with broader scopes and verifies success. ### Safety / compatibility - Backward compatible: records without `approvedScopes` continue to use existing behavior. - No schema/API contract changes: this is internal paired metadata evolution. - Rotation semantics are preserved: current token `scopes` still represent the active session scope and can narrow as before. ### Validation - `pnpm vitest run --config vitest.unit.config.ts src/infra/device-pairing.test.ts` - `pnpm vitest run --config vitest.e2e.config.ts src/gateway/server.auth.e2e.test.ts` - `pnpm exec oxfmt --check src/gateway/server.auth.e2e.test.ts src/gateway/server/ws-connection/message-handler.ts src/infra/device-pairing.ts src/infra/device-pairing.test.ts` - `pnpm exec oxlint --type-aware src/infra/device-pairing.ts src/infra/device-pairing.test.ts src/gateway/server.ws-connection/message-handler.ts src/gateway/server.auth.e2e.test.ts` ### Confidence score - **10/10** - This is a narrow, behavior-preserving change with direct regression coverage around the exact failure path. - Logic is localized, deterministic, and includes compatibility handling for all pre-existing paired records. - No unrelated behavioral surface was touched.