deploy(gx10): restore DeviceManagement agent heartbeat auth

apps-gx10/fc-devicemgmt/README.md

@@ -15,6 +15,7 @@ values to clear readiness checks.
 | --- | --- |
 | `DEVICE_MANAGEMENT_OPERATOR_API_KEY` | Required operator API key for authenticated REST/MCP write operations, including Android command queueing. |
 | `DEVICE_MANAGEMENT_ADMIN_API_KEY` | Required admin API key for privileged DeviceManagement operations. |
+| `DEVICE_MANAGEMENT_AGENT_API_KEY` | Required scoped agent credential for REST agent callbacks when TLS terminates before Kestrel; maps to `Auth:AgentApiKey` and `FlowerCore:Auth:AgentApiKey`. |
 | `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. |
 | `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. |
 | `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. |
@@ -32,9 +33,12 @@ managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement.
 DeviceManagement auth is enabled on GX10. The deployment maps
 `DEVICE_MANAGEMENT_OPERATOR_API_KEY` to both `Auth__ApiKey` and
 `FlowerCore__Auth__ApiKey`; the unprefixed key keeps the MCP API key post-config
-path aligned with REST auth. Agent enrollment, heartbeat, inventory, command poll,
-and command-result callbacks remain on the unauthenticated agent channel by
-application policy; operator write endpoints must use `X-Api-Key`.
+path aligned with REST auth. Agent heartbeat, inventory, command poll, app-catalog,
+and command-result callbacks use the agent-specific authorization boundary: the
+server validates a device client certificate when Kestrel receives one, and also
+accepts only the scoped `DEVICE_MANAGEMENT_AGENT_API_KEY` via `Authorization:
+Bearer` or `X-Agent-Api-Key` when TLS is terminated before the app. Operator write
+endpoints must use `X-Api-Key`.
 
 ## Readiness Check