[Feature]: Add secure-by-default authentication to the Forge A2A server when running locally #16
Description
Feature Request
Summary
Add secure-by-default authentication to the Forge A2A (Agent-to-Agent) server when running locally, so that local endpoints are not openly accessible without credentials.
Motivation
When the Forge A2A server runs locally, it currently lacks built-in authentication. This means any process or user on the local machine (or local network, depending on bind address) can interact with the server without authorization. Adding authentication by default improves security posture and aligns with the principle of least privilege, even in local development environments.
Proposed Behavior
- When the A2A server starts locally, it should require authentication out of the box (e.g., a bearer token, API key, or mTLS).
- A default credential (e.g., auto-generated token) should be created on first run and displayed to the user or written to a known config path.
- An option to explicitly disable authentication (e.g.,
--no-auth) should be available for development/testing scenarios, but the secure default should be auth-on.
Acceptance Criteria
- Local A2A server requires authentication by default
- Auto-generated credentials are surfaced to the user on startup
- Unauthenticated requests are rejected with an appropriate error
- A flag or config option exists to opt out of authentication when needed
- Documentation is updated to reflect the new behavior