[P0-3-companion] mTLS validation + secret rotation for agent-auth routes

[haydercyber]

Source: pre-v1.0 security review (secrets-bridge/skills/SECURITY_REVIEW.md §2 P0-3). Companion to secrets-bridge/agent#12.

Why this is P0: agent's agent_secret is a single factor today. P0-3 introduces workload identity (mTLS / SPIFFE / IRSA) as a second factor. This CP-side issue adds the validation + rotation surface.

Required scope

• mTLS validation on the AgentAuth middleware: when configured, validate the client cert against a configured CA bundle, extract identity from the cert's SAN (matching the SPIFFE ID or DNS SAN), bind it to the agent_id claimed by the request. Reject mismatch.
• SPIFFE SVID acceptance when the cert is a SPIFFE SVID — validate the trust domain + agent identity claim.
• POST /agents/:id/rotate-secret — agent presents the old secret + the new one is minted. The new secret returned ONCE. Old secret invalidated atomically. Audit event with correlation ID.
• POST /agents/:id/revoke-secret — admin-only, immediate invalidation.
• Configuration: SB_AGENT_MTLS_REQUIRED=true|false toggle. When true, agents without mTLS get 401.
• CA bundle config: SB_AGENT_MTLS_CA_FILE for the operator's CA.
• Tests: valid mTLS + secret → 200; mTLS without secret → 401; secret without mTLS when required → 401; rotation atomic under contention; revoke kicks active sessions out.
• Documentation: api/SKILL.md + the operator runbook companion to the agent's P0-3.

Pre-requisite

#26 (auth middleware refactor) should land first so the agent-auth path uses the same identity-from-context pattern.

Effort estimate

~1 week on top of the agent-side work.

Gating

This issue MUST be closed before any v1.0 announcement.