Prepare simulation gateway auth enforcement

[anth-volk]

Fixes #470

Summary

Prepare policyengine-api-v2 to safely enable simulation gateway auth enforcement.

Current main already contains the gateway-side auth dependency and the explicit GATEWAY_AUTH_REQUIRED flag, but it was still missing the CI/test/deploy plumbing needed to actually flip that flag on without breaking deploys.

Changes

• Mint an Auth0 client_credentials token in integration CI and export it as simulation_integ_test_access_token
• Plumb GATEWAY_AUTH_CLIENT_ID and GATEWAY_AUTH_CLIENT_SECRET through the reusable deploy workflow where needed
• Tighten Modal secret sync so partial auth config fails fast and client credentials stay out of the gateway runtime secret
• Normalize issuer trailing slash before writing the runtime gateway secret
• Add a startup guard that crashes the gateway only when auth is required but misconfigured, while preserving the current optional/public mode otherwise
• Add integration auth smoke coverage for gated endpoints

Rollout

1. Set GATEWAY_AUTH_REQUIRED=1 in the beta environment and verify deploy + integration + auth smoke are green.
2. Set GATEWAY_AUTH_REQUIRED=1 in prod after beta is green.

Validation

• bash syntax checks for the updated deploy/test scripts
• YAML parse of the reusable deploy workflow
• targeted Ruff checks on touched Python files
• gateway/unit script pytest suite passes
• auth smoke test file collects and skips cleanly while auth is not yet required