feat(auth): add mTLS and custom header support for A2A connections

[dobesv]

Summary

• Add mTLS (mutual TLS) client certificate authentication for A2A connections
• Add custom HTTP headers support (additive with any auth type)
• Add saved agents panel in TUI — agents configured via auth set appear as clickable buttons for one-click connect

Changes

mTLS Authentication

• New AuthType.MTLS with cert_path, key_path, ca_cert_path fields on AuthCredentials
• build_ssl_context() creates SSL context for httpx client
• create_mtls_auth() factory with file existence validation
• CLI: --cert, --key, --ca-cert options on auth set
• TUI: mTLS radio button with certificate path inputs
• MCP: cert_path/key_path/ca_cert_path params on all auth-bearing tools

Custom Headers

• custom_headers dict field on AuthCredentials, merged into to_headers()
• CLI: repeatable --header/-H "Name: Value" on auth set and message send/stream
• parse_header_string() helper for Name: Value format
• TUI: semicolon-separated header input field (works with any auth type)
• MCP: custom_headers dict param on all tools

Saved Agents Panel (TUI)

• AgentCardPanel placeholder replaced with clickable list of saved agents from ~/.handler/sessions.json
• Clicking auto-fills URL bar and connects with saved credentials (mTLS, bearer, api-key, custom headers)
• Connect button also checks session store as credential fallback
• All CLI commands (card, task, message) now pass saved credentials to build_http_client() for transport-level auth

Bug Fixes

• Guard to_headers() against empty bearer value (Authorization: Bearer leak)
• Apply custom headers even for mTLS credentials in set_credentials()
• Always rebuild HTTP client on TUI connect (mTLS to non-mTLS transition fix)
• Copy credentials before mutating custom headers (prevents cross-call leaks in MCP server)
• Remove stale --authenticated flag from card get (credentials always applied for transport)

Testing

• 272 tests passing, 17 new tests covering mTLS and custom header flows
• ruff check, ruff format, ty check all clean
• Manually verified against live mTLS agent gateway

[alDuncanson]

Hey @dobesv, I'm not trying to leave you hanging here.

I'm just thinking about how I want to implement this feature—sessions and agent profiles (or saved agents)—and do so in a way that's not only a good user experience but is also scalable.

I don't want to hold off on this until I finish the TUI redesign, so I've cherry-picked your mTLS contribution into my auth/profiles/session branch of work: https://github.com/alDuncanson/Handler/tree/auth-profiles-and-sessions and I'm working on getting that in soon 👍🏻

[dobesv]

No worries I just threw this in here as an idea, do with it as you will. I'm not even sure at this point if handler will fit into my workflow in any way.

[dobesv]

I'll close this for now - you can use it as a reference for whatever you're working on.