Provide a documented secure config preset wiring the existing JWT/RBAC/TLS: auth.enabled, require_auth_for=all, TLS, CORS restricted to explicit origins, rate limiting; plus a hardening checklist. The gateway default stays dev-friendly (open, no auth); the secure preset is opt-in and is what packaged deployments apply.
- Acceptance: enabling the preset refuses unauthenticated writes and serves over TLS; the default (no preset) stays dev-friendly.
Provide a documented secure config preset wiring the existing JWT/RBAC/TLS:
auth.enabled,require_auth_for=all, TLS, CORS restricted to explicit origins, rate limiting; plus a hardening checklist. The gateway default stays dev-friendly (open, no auth); the secure preset is opt-in and is what packaged deployments apply.