Prod hardening: auth for /health endpoint + endpoint security

[webdevtodayjason]

Context

The /health HTTP endpoint (argentmunch serve) is currently unauthenticated. This is acceptable for local development but must be hardened before any production or shared-network deployment.

Requirements

• Add optional auth token for /health endpoint (env var or config file)
• Add rate limiting to prevent abuse
• Add CORS headers (restrict to known origins)
• Add TLS/HTTPS support or document reverse proxy pattern
• Consider IP allowlist option for MAO-only access
• Document security model in SECURITY.md

Context from PR

Opened as a follow-up from PR #1 (MVP implementation).

Priority

Must be resolved before deploying ArgentMunch on Dell R750 shared endpoint (Phase 2).

[webdevtodayjason]

Sprint Slice 2 — Thread Update (2026-03-05)

Execution order updated. See full coordinator summary: https://github.com/ArgentAIOS/argentos/issues/76#issuecomment-4002350291

Reassigned from Thread C → Thread E (parallel with argentmunch #6). Priority 4.

[webdevtodayjason]

Integrated in PR #7 (codex/slice2-munch-integration): health/status auth behavior hardened (token required by default, explicit local-dev override).