fix(gateway): thread-safe PairingStore with atomic writes

[CharlieKerfoot]

Problem

The gateway runs multiple platform adapters (Telegram, Discord, Slack, etc.)
concurrently in threads sharing a single PairingStore instance. Without locking,
concurrent pairing requests raced on the same read-modify-write cycle, which could:

• Drop an approved user from the approved list
• Lose a pending pairing code
• Allow lockout bypass via a race on _rate_limits.json

_secure_write() also used path.write_text() (non-atomic), so a crash mid-write
could leave a truncated JSON file.

Fix

• _secure_write() replaced with tempfile.mkstemp + os.fsync + os.replace —
  readers always see a complete file, never a partial write
• PairingStore gains self._lock (threading.RLock) — all composite
  read-modify-write methods (generate_code, approve_code, revoke,
  clear_pending) hold it for their full duration

Testing

1. Start the gateway with two or more platform adapters configured
2. Trigger simultaneous pairing requests from different platforms
3. Verify both codes appear in hermes pair list and neither is lost