docs: refresh gateway auth precedence refs

docs/gateway/protocol.md

@@ -282,6 +282,8 @@ The Gateway treats these as **claims** and enforces server-side allowlists.
   approved scope set for that token. This preserves read/probe/status access
   that was already granted and avoids silently collapsing reconnects to a
   narrower implicit admin-only scope.
+- Normal connect auth precedence is explicit shared token/password first, then
+  explicit `deviceToken`, then stored per-device token, then bootstrap token.
 - Additional `hello-ok.auth.deviceTokens` entries are bootstrap handoff tokens.
   Persist them only when the connect used bootstrap auth on a trusted transport
   such as `wss://` or loopback/local pairing.

docs/gateway/troubleshooting.md

@@ -120,6 +120,9 @@ Common signatures:
 - That cached-token retry reuses the cached scope set stored with the paired
   device token. Explicit `deviceToken` / explicit `scopes` callers keep their
   requested scope set instead.
+- Outside that retry path, connect auth precedence is explicit shared
+  token/password first, then explicit `deviceToken`, then stored device token,
+  then bootstrap token.
 - On the async Tailscale Serve Control UI path, failed attempts for the same
   `{scope, ip}` are serialized before the limiter records the failure. Two bad
   concurrent retries from the same client can therefore surface `retry later`