fix(gateway): verify client signature before payload_hash

ARCHITECTURE.md §15 "Verification order" specifies signature verification
(step 4) before payload_hash (step 5), but the authenticated-edge
decorator chain wrapped the payload-hash gate outside the signature gate,
so the hash was checked first. gateway/README.md and gateway/docs/flows.md
had drifted to match the code (hash-first), leaving ARCHITECTURE.md as the
lone source describing the intended order.

Swap the two decorators in server.go so the signature gate runs first, and
align README + flows.md to ARCHITECTURE.md. Signature-first is the
cryptographically sound order: the signature covers the payload_hash field,
so the request is authenticated before any of its content is processed.

Observable side effect: a request carrying a tampered payload_hash whose
signature was computed over the original hash is now rejected at the
signature gate (UNAUTHENTICATED "invalid request signature") instead of the
hash gate (INVALID_ARGUMENT). Security is unchanged — both refusals happen
before the payload is handled. The four payload-hash unit tests re-sign
over the tampered hash so they keep exercising the hash gate; the
cross-service integration test signs over the overridden hash and already
accepts both codes.

Refs #39

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

gateway/README.md

@@ -579,8 +579,8 @@ ingress.
 2. Check whether `protocol_version` is supported.
 3. Resolve `device_session_id` through `SessionCache`.
 4. Reject unknown or revoked sessions.
-5. Verify that `payload_hash` matches raw `payload_bytes`.
-6. Verify the client signature using the public key from session cache.
+5. Verify the client signature using the public key from session cache.
+6. Verify that `payload_hash` matches raw `payload_bytes`.
 7. Verify that `timestamp_ms` is inside the accepted freshness window.
 8. Verify anti-replay by checking `device_session_id + request_id`.
 9. Apply authenticated rate limit and edge policy checks.