[Feature]: A2A: HMAC auth and basic RBAC

[alokdangre]

Contact Details

No response

Is your feature request related to a problem?

A2A operations are unauthenticated/unauthorized, which risks misuse of coordination primitives.

Describe the solution you'd like

Add AuthManager:

• HMAC-SHA256 token issue/verify using A2A_SECRET
• Per-agent role registry and has_role checks
• Constant-time compare to prevent timing leaks

Describe alternatives you've considered

• OIDC/mTLS: stronger but heavier to integrate initially; can be added later

Use Case

Gate sensitive operations (e.g., scaling, rollout triggers) to authorized roles; verify agent identity in message handlers.

Priority

High - Important for my workflow

Feature Type

• New functionality
• Performance improvement
• User experience enhancement
• Developer experience improvement
• Security enhancement
• Documentation improvement
• API enhancement

Additional Context

Production requires strong A2A_SECRET. Future: token rotation, per-agent secrets, mTLS/OIDC.

Implementation

• I would be willing to submit a pull request to implement this feature
• I can help with testing
• I can help with documentation
• I can provide feedback during development

Code of Conduct

• I agree to follow this project's Code of Conduct