fix: include trusted-proxy in sharedAuthOk check

In trusted-proxy mode, sharedAuthResult is null because hasSharedAuth
only triggers for token/password in connectParams.auth. But the primary
auth (authResult) already validated the trusted-proxy — the connection
came from a CIDR in trustedProxies with a valid userHeader. This IS
shared auth semantically (the proxy vouches for identity), so operator
connections should be able to skip device identity.

Without this fix, trusted-proxy operator connections are rejected with
"device identity required" because roleCanSkipDeviceIdentity() sees
sharedAuthOk=false.

(cherry picked from commit e87048a6a6)

src/gateway/server/ws-connection/auth-context.ts

@@ -133,9 +133,13 @@ export async function resolveConnectAuthState(params: {
       // primary auth flow (or deferred for device-token candidates).
       rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
     }));
+  // Trusted-proxy auth is semantically shared: the proxy vouches for identity,
+  // no per-device credential needed. Include it so operator connections
+  // can skip device identity via roleCanSkipDeviceIdentity().
   const sharedAuthOk =
-    sharedAuthResult?.ok === true &&
-    (sharedAuthResult.method === "token" || sharedAuthResult.method === "password");
+    (sharedAuthResult?.ok === true &&
+      (sharedAuthResult.method === "token" || sharedAuthResult.method === "password")) ||
+    (authResult.ok && authResult.method === "trusted-proxy");
 
   return {
     authResult,