Hardened agent credential storage

rstream now supports hardened storage for the credentials used by agents and SDK runtimes when they authenticate to the engine control channel.

The Go CLI and Go SDK can store bearer tokens in macOS Keychain, so local configuration files keep a Keychain reference instead of the token value. The same macOS provider can also load an mTLS client identity from Keychain by certificate SHA-256 fingerprint, letting the signed rstream binary use the private key without copying it into the YAML file.

For certificate-backed agent authentication outside macOS, the Go SDK and C++ SDK now support PKCS#11 mTLS storage. Agents can authenticate with a private key held by a YubiKey, HSM, smart card, TPM-backed module, or SoftHSM validation token. The configuration names the PKCS#11 module, token selector, key selector, certificate source, and the environment variable that supplies the PIN. C++ agents can also set the OpenSSL provider name when distribution packaging exposes it under a name such as pkcs11.

JavaScript SDK configuration parsing has also been updated to understand the shared credential storage shape. Unsupported hardened storage modes fail explicitly instead of being ignored, which keeps cross-SDK configuration behavior auditable.

This release hardens agent authentication. Published tunnel mTLS remains a separate surface: when a public tunnel requires mTLS, the connecting client still needs its own client certificate provisioning.

For reference fields and support matrix, see Credential Storage. For an operational walkthrough, see Secure rstream Agent Authentication with Keychain and PKCS#11.