#10486: feat: A2A protocol plugin

## Summary Depends on #9999 (Docker fixes) — merge that first. - Adds A2A (Agent-to-Agent) protocol plugin under `extensions/a2a/` - Exposes the gateway as an A2A-compatible agent with inbound API key auth (secure by default) - Provides `send_message_to_agent` and `get_agent_card` tools for calling remote A2A agents - Supports outbound auth with per-URL header/credential config - Includes key management commands (`a2a generate-key`, `a2a list-keys`, `a2a revoke-key`) - Adds comprehensive docs at `docs/plugins/a2a.md` covering setup, authentication, and Tailscale Funnel for public access ## Test plan - [ ] Enable plugin in config and verify agent card at `/.well-known/agent-card.json` - [ ] Send A2A `message/send` via curl with API key and confirm response - [ ] Test outbound `send_message_to_agent` tool against a remote A2A agent - [ ] Verify inbound auth rejects unauthenticated requests - [ ] Run `pnpm vitest run extensions/a2a` for unit tests - [ ] Test Tailscale Funnel public access end-to-end 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> - Adds a new `extensions/a2a/` plugin that exposes the gateway as an A2A agent (agent card endpoint + `/a2a` JSON-RPC), including inbound API key auth and outbound per-URL auth headers. - Implements an A2A→OpenClaw bridge via `OpenClawAgentExecutor`, plus tools for calling remote A2A agents (`send_message_to_agent`, `get_agent_card`). - Adds CLI commands for inbound key management and updates Docker/dev setup docs/scripts to support workspace-based extension installs. <h3>Confidence Score: 3/5</h3> - This PR is close to mergeable but has a few concrete runtime/logging issues to fix first. - Core functionality and auth model look coherent, but the extension currently contains production `console.log` debug dumping gateway payloads/frames (noise + potential data exposure) and uses `crypto.randomUUID()` without importing `node:crypto`, which can cause runtime failures depending on the Node/bundling environment. - extensions/a2a/src/executor.ts, extensions/a2a/src/gateway-call.ts, extensions/a2a/src/tool.ts <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->