fix(security): Enforce fail-closed for empty admin token (#425)

[Luffy2208]

Summary

Fixes the issue where an empty admin token silently disabled route protection.

• internal/server/middleware/auth.go: Added ValidateAdminTokenAuth and updated AdminTokenAuth middleware to return 401 instead of letting requests through when no token is set.
• internal/config/config.go: Added InsecureDisableAdminAuth field to configuration and mapped the AGENTFIELD_INSECURE_ADMIN_NO_TOKEN env var.
• internal/server/server.go: Added startup validation that stops the server from launching if the admin token is missing, unless insecure mode is explicitly configured.
• internal/server/routes_admin.go: Updated route registration to pass the new config structure to the middleware.
• tests: Added and updated unit tests to verify the new startup validations, env override flags, and 401/403 responses.

Type of change

• Bug fix
• New feature
• Refactor / cleanup
• Docs only
• Tests only
• CI / tooling
• Breaking change

Test plan

Run the following test commands locally to verify the new startup validations, the middleware's fail-closed unauthorized/forbidden assertions, and configuration override behavior:

• cd control-plane && go test -v ./internal/server/...
• cd control-plane && go test -v ./internal/server/middleware/...
• cd control-plane && go test -v ./internal/config/...

Test coverage

Before asking for review, please confirm:

• I ran tests for the surface(s) I changed locally.
• New code paths are covered by tests in this PR (no bare additions).
• If I removed code, I updated coverage-baseline.json in this PR only if the removal caused a legitimate regression and I called it out in the summary above.
• The coverage gate check is green in CI before requesting review.

Checklist

• I have read CONTRIBUTING.md (if present) and docs/DEVELOPMENT.md.
• Commits are signed and follow conventional-commits style.
• I have linked any related issues (Fixes feat(tests): add unit tests for vector memory handler functionality #123 / Closes test: add tests for TypeScript SDK utils (pattern, schema, httpAgents) #456).

Related issues / PRs

Closes #425

[github-actions]

📊 Coverage gate

Thresholds from .coverage-gate.toml: per-surface ≥ 84%, aggregate ≥ 85%, max per-surface regression ≤ 1.0 pp, max aggregate regression ≤ 0.50 pp.

Surface	Current	Baseline	Δ
control-plane	87.00%	87.40%	↓ -0.40 pp	🟡
sdk-go	91.80%	92.00%	↓ -0.20 pp	🟢
sdk-python	93.87%	93.73%	↑ +0.14 pp	🟢
sdk-typescript	90.05%	90.42%	↓ -0.37 pp	🟢
web-ui	84.82%	84.79%	↑ +0.03 pp	🟡
aggregate	85.62%	85.75%	↓ -0.13 pp	🟡

✅ Gate passed

No surface regressed past the allowed threshold and the aggregate stayed above the floor.

[github-actions]

📐 Patch coverage gate

Threshold: 80% on lines this PR touches vs origin/main (from .coverage-gate.toml:thresholds.min_patch).

Surface	Touched lines	Patch coverage	Status
control-plane	44	100.00%	✅
sdk-go	0	—	➖ no changes
sdk-python	0	—	➖ no changes
sdk-typescript	0	—	➖ no changes
web-ui	0	—	➖ no changes

✅ Patch gate passed

Every surface whose lines were touched by this PR has patch coverage at or above the threshold.

[santoshkumarradha]

Checked the auth/config path locally. The fail-closed behavior and explicit insecure escape hatch both look right, and the focused Go tests passed on my side.