From 91de302a702f8f8bea61798faa4441f601850604 Mon Sep 17 00:00:00 2001
From: Rai Butera <rai@rbutera.com>
Date: Thu, 12 Mar 2026 16:35:33 +0000
Subject: [PATCH] fix(gateway): derive inter-session attestation from handshake
 trust

---
 .../server/ws-connection/message-handler.ts   | 22 ++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
index 4f369f2c14a..03793b279ba 100644
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -674,14 +674,18 @@ export function attachGatewayWsMessageHandler(params: {
           authOk,
           authMethod,
         });
+        const isInternalBackendClient = shouldSkipBackendSelfPairing({
+          connectParams,
+          isLocalClient,
+          hasBrowserOriginHeader,
+          sharedAuthOk,
+          authMethod,
+        });
+        // auth.mode=none disables all authentication — device pairing is an
+        // auth mechanism and must also be skipped when the operator opted out.
         const skipPairing =
-          shouldSkipBackendSelfPairing({
-            connectParams,
-            isLocalClient,
-            hasBrowserOriginHeader,
-            sharedAuthOk,
-            authMethod,
-          }) ||
+          resolvedAuth.mode === "none" ||
+          isInternalBackendClient ||
           shouldSkipControlUiPairing(
             controlUiAuthPolicy,
             role,
@@ -990,9 +994,7 @@ export function attachGatewayWsMessageHandler(params: {
           canvasHostUrl,
           canvasCapability,
           canvasCapabilityExpiresAtMs,
-          isInternalBackendClient:
-            connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT &&
-            connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND,
+          isInternalBackendClient,
         };
         setSocketMaxPayload(socket, MAX_PAYLOAD_BYTES);
         setClient(nextClient);