feat: add device auth for OpenClaw v2026.2.14+ compatibility

[robbyczgw-cla]

Problem

Since OpenClaw v2026.2.14, clients without device identity have their scopes cleared during the WebSocket handshake. This breaks WebClaw — sessions, models, and chat all fail with missing scope: operator.read.

The current workaround requires two steps:

1. dangerouslyDisableDeviceAuth: true in gateway config
2. Requesting all operator scopes (PR fix: request full operator scopes for OpenClaw v2026.2.14 compatibility #31)

This PR eliminates the need for dangerouslyDisableDeviceAuth entirely.

Solution

Implement Ed25519 device authentication in WebClaw's gateway connection:

• Generate a persistent Ed25519 keypair on first startup, stored at apps/webclaw/.device-keys.json (0600 permissions)
• Derive device ID from the public key (SHA-256 of raw key, hex-encoded)
• Sign the connect payload using the canonical format expected by the gateway (v1|deviceId|clientId|...)
• Include device field in the WebSocket connect params
• Handle close code 1008 (pairing required) with actionable log message

Details

• Uses Node.js crypto only — no external dependencies
• Graceful fallback: if device auth setup fails, connection proceeds without it (backwards compatible)
• Works with both v2026.2.14 (dangerouslyDisableDeviceAuth still needed for scope preservation) and v2026.2.15+ (full device auth, no config flag needed)
• Localhost connections are auto-approved by the gateway

Changes

• apps/webclaw/src/server/gateway.ts — Device identity + signing + connect params
• .gitignore — Exclude .device-keys.json

Testing

• Implemented and verified in OpenCami (WebClaw fork)
• Tested with OpenClaw v2026.2.15 — connections authenticated, scopes preserved, dangerouslyDisableDeviceAuth removed successfully

Closes #30 (together with #31)

---

AI-assisted (Codex). Reviewed and tested by human.