deploy(gx10): add DeviceManagement agent mTLS route

apps-gx10/fc-devicemgmt/README.md

@@ -1,7 +1,9 @@
 # FlowerCore DeviceManagement on GX10
 
 This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at
-`https://devices.iamworkin.lan`.
+`https://devices.iamworkin.lan`. Agent-only REST/SignalR callbacks can use
+`https://devices-agent.iamworkin.lan`, which is a separate Traefik router that
+requires a TLS client certificate and forwards the presented PEM to the app.
 
 ## Apple MDM Runtime Contract
 
@@ -35,10 +37,18 @@ DeviceManagement auth is enabled on GX10. The deployment maps
 `FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config
 path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
 and command-result callbacks use the agent-specific authorization boundary: the
-server validates a device client certificate when Kestrel receives one, and also
-accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization:
-Bearer` or `X-Agent-Api-Key` when TLS is terminated before the app. Operator write
-endpoints must use `X-Api-Key`.
+server validates a direct device client certificate when Kestrel receives one,
+validates Traefik-forwarded client certificate PEM only on
+`devices-agent.iamworkin.lan`, and also accepts only the scoped
+`DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization: Bearer` or
+`X-Agent-Api-Key` as the fallback path. Operator write endpoints must use
+`X-Api-Key`.
+
+The agent-only Traefik route currently uses `RequireAnyClientCert`; the
+application remains the authorization boundary by matching the forwarded client
+certificate thumbprint to the enrolled device record. Once DeviceManagement
+exports a persistent enrollment CA bundle, switch this TLSOption to
+`RequireAndVerifyClientCert` with that CA secret.
 
 ## Readiness Check