fix(gateway): gate unsafe auth deployment modes

[alangou]

Summary

Gate unsafe gateway authentication postures for shared deployments. OIDC authentication-only mode now requires an explicit opt-in, and gRPC user requests without an auth path fail closed instead of passing through.

Related Issue

Closes OS-186

Changes

• Added gateway auth posture validation for shared Kubernetes/non-loopback deployments.
• Added explicit allow_oidc_auth_only config and Helm value for OIDC authentication-only mode.
• Replaced implicit no-auth gRPC pass-through with UNAUTHENTICATED.
• Updated Helm validation/rendering so auth-only OIDC renders empty roles only when explicitly opted in.
• Added Rust and Helm tests for auth-only, partial-role rejection, no-auth fail-closed behavior, and explicit dev/proxy no-auth.
• Updated Kubernetes, reference, security, Helm, and architecture docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Additional validation run:

• CARGO_TARGET_DIR="/home/op/OpenShell/target" mise run test
• CARGO_TARGET_DIR="/home/op/OpenShell/target" mise exec -- cargo test -p openshell-server
• mise run helm:test
• mise run helm:lint
• mise run helm:docs:check
• git diff --check

Note: mise run pre-commit could not be confirmed because the shell executor stopped returning statuses.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)