Epic: Access control completeness

[bug-ops]

Overview

Ensure authentication at all network-exposed entry points.

Issues

• A2A server exposes JSON-RPC endpoint without authentication #869 A2A server has no authentication middleware (medium, S)
• Gateway auth disabled by default with no warning #873 Gateway auth disabled by default with no warning (low, S)

Internal Critical Path

Independent — parallel.

Cross-Epic Dependencies

Relation	Epic	Reason
parallel with	all other epics	isolated to a2a/gateway server modules

No blockers, no dependencies. Fully independent.

Effort: S