5437b68316
Add lib/api/routes/agents.js: list/create/get, PATCH capabilities, mint token (plaintext returned exactly once, then bcrypt-hashed), revoke token. All endpoints gated by requireOwner so an agent token can never bootstrap a new agent or grant itself capabilities. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>