#21664: fix(gateway): require re-pairing for legacy devices that lack scope metadata

## Summary - Legacy-paired devices (paired before role/scope tracking) bypass all scope and role validation because the check is inside `if (!hasLegacyPairedMetadata)` - This allows legacy devices to self-declare any scopes including `operator.admin` without re-approval - Fix: require re-pairing approval when a legacy device connects, so the user must approve the requested scopes ## Test plan - Verify legacy devices (with `paired.roles === undefined && paired.scopes === undefined`) now trigger re-pairing - Verify non-legacy devices continue to work as before <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixes critical security vulnerability where legacy devices (paired before role/scope tracking was implemented) could bypass all scope and role validation. Previously, when `paired.roles === undefined && paired.scopes === undefined`, the validation logic was completely skipped, allowing these devices to self-declare any scopes including privileged ones like `operator.admin`. The fix adds an `else` branch that unconditionally requires re-pairing approval for legacy devices. This ensures users must explicitly approve the requested roles and scopes before the device can connect, establishing proper metadata for all future connections. Also includes minor import reordering to match project style guidelines (type imports grouped at top). <h3>Confidence Score: 5/5</h3> - This PR is safe to merge - it closes a critical security hole without breaking existing functionality - The fix correctly addresses the vulnerability by adding an unconditional re-pairing requirement for legacy devices. The logic is straightforward and matches the existing pattern for scope upgrades. Import reordering is style-only and follows project conventions. No breaking changes for non-legacy devices. - No files require special attention _{Last reviewed commit: c72a6f9} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->