fix(gateway): add shared-secret fallback to trusted-proxy auth dispatcher

[dashed]

Summary

Stacked on openclaw#17705 — review/merge that PR first. Once merged, this PR's changes should be re-targeted to main on upstream.

The gateway's authorizeGatewayConnect dispatcher treats trusted-proxy as a single-mode gate: when proxy auth fails (e.g. internal services connecting directly without the reverse proxy), the function early-returns before reaching the shared-secret (token/password) or Tailscale code paths. This breaks all internal consumers — node host, CLI RPC, ACP, TUI, agent tools, etc.

This PR adds an inline shared-secret fallback within the trusted-proxy block:

• When proxy auth fails and a token/password is configured, attempt shared-secret auth before returning failure
• Rate-limit fallback attempts using the existing AuthRateLimiter
• Preserve proxy auth priority (successful proxy auth still short-circuits)
• Fix allowTailscale default to not exclude trusted-proxy mode

Changes

• src/gateway/auth.ts: Move rate-limiter/IP resolution before trusted-proxy block; add token and password fallback with rate limiting when proxy auth fails; fix allowTailscale default condition
• src/gateway/auth.test.ts: 9 new unit tests for the fallback path (success, rejection, rate limiting, priority)
• src/gateway/server.auth.e2e.test.ts: 3 new e2e tests for internal connections with token fallback + device identity

Connection flow (after fix)

Client connects to gateway (mode=trusted-proxy)
├─ From trusted proxy with user header? → ✅ Authenticated (trusted-proxy)
├─ Proxy auth failed, token/password configured?
│  ├─ Rate-limited? → ❌ Rejected (rate_limited)
│  ├─ Valid token? → ✅ Authenticated (token) → device-pairing works
│  ├─ Valid password? → ✅ Authenticated (password) → device-pairing works
│  └─ No match → ❌ Original proxy failure reason
└─ No fallback credentials configured → ❌ Original proxy failure reason

Related Issues

• [Feature]: Allow disabling auth with LAN binding for reverse proxy setups openclaw/openclaw#1560 — original trusted-proxy auth implementation
• [Bug]: Device token auth regression in v2026.2.14 - token priority flip in d8a2c80cd breaks non-localhost clients openclaw/openclaw#17270 — device_token_mismatch errors in trusted-proxy setups
• [Bug]: openclaw status --deep crashes when gateway is unreachable openclaw/openclaw#17106 — canSkipDevice/skipPairing gate logic
• feat(gateway): server-side token injection for reverse proxy deployments openclaw/openclaw#10382 — auth mode configuration
• [Bug]: openclaw node run fails silently with "1008: pairing required" when connecting to a remote gateway openclaw/openclaw#4833 — GatewayClient reconnect behavior
• [Bug]: Docker manual setup fails - CLI cannot reach gateway due to network configuration openclaw/openclaw#5559 — rate limiting for auth

Test Plan

• 9 unit tests for shared-secret fallback (proxy success unchanged, token/password fallback, rejection, rate limiting, priority)
• 3 e2e tests for internal connections (token + device identity, token + no device, proxy priority)
• All existing 30 unit tests pass
• All existing 33 e2e tests pass
• oxlint — 0 errors
• oxfmt — clean
• tsgo — clean

[github-actions]

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.