M12/Phase 3: Authentication and rate limiting

[bug-ops]

Epic: #82
Effort: S (2 SP)

Deliverables

• Bearer token authentication middleware (tower layer)
• a2a.auth_token config field with ZEPH_A2A_AUTH_TOKEN env var
• Reject unauthenticated requests with 401
• Rate limiting via tower RateLimit middleware
• a2a.rate_limit config (requests per minute, default: 60)
• Request body size limit (default: 1 MiB)

Acceptance Criteria

• Requests without valid Bearer token rejected with 401
• Rate-limited requests rejected with 429
• Oversized request bodies rejected with 413
• Auth token configurable via config and env var
• Rate limit configurable in TOML