Why mTLS instead of a bearer token

Context

Agents run on hundreds of customer hosts. Each one needs an identity.

A single shared secret — compromising any host = compromising all of them
Per-host bearer token — needs rotation; a long-lived token in a file is a serious risk
mTLS with a per-host client cert + short TTL — a host compromise is bounded by the window until the next rotation (24h)

mTLS + automatic rotation. Identity = peer cert subject. agentIDFromCert(r) is the single source of identity in the ingest handler.