fix: preserve gateway device auth when registering MC origin

[eloe]

Summary

• preserve gateway.controlUi.dangerouslyDisableDeviceAuth when Mission Control registers its dashboard origin
• keep registerMcAsDashboard() limited to gateway.controlUi.allowedOrigins
• add regression coverage to ensure device auth is not weakened and re-registration stays idempotent

Risk Level

Low

Tests

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm build
• pnpm quality:gate

Security Review

This change touches gateway auth posture. The previous behavior could silently set gateway.controlUi.dangerouslyDisableDeviceAuth=true during Mission Control dashboard-origin registration, weakening OpenClaw device authentication. This fix preserves the existing device-auth setting and limits registration to adding the Mission Control origin to gateway.controlUi.allowedOrigins.

Checklist

• Tests added/updated for the change
• Lint/typecheck/build passing
• Security impact reviewed
• Database migration not applicable

[0xNyk]

Thanks for the regression coverage here. I didn’t merge this PR directly because main already had the functional hardening in gateway-runtime.ts, and I merged that behavior plus equivalent regression tests in #446. Closing this as superseded by #446 so the history stays focused on the remaining compatibility fix.