fix(security): bind A2A bus to 127.0.0.1 instead of 0.0.0.0

Bun.serve() without hostname defaults to all interfaces, exposing
18810/18811 to the entire network. Pin to localhost.

Author: AliceLJY

a2a/bus.js

@@ -46,6 +46,7 @@ export function createA2ABus(config) {
 
     server = Bun.serve({
       port,
+      hostname: "127.0.0.1",
       fetch(req, env) {
         const url = new URL(req.url);
         if (req.method === "POST" && url.pathname === "/a2a/message") {