yarn: rotate tpm identity after fTPM reset

BIOS 2423→4101 update on yarn required an fTPM reset, which broke the
sealed age identity at /var/lib/agenix/tpm-identity. Bootstrapped a new
identity against the new SRK and rotated yarn's recipient.

age-plugin-tpm 1.0+ emits age1tag1… (p256tag) recipients by default and
refuses to encrypt to legacy age1tpm1… ones, so rotated mreow's recipient
to the same encoding (same key, new bech32 HRP) and added an
age-plugin-tag→age-plugin-tpm symlink in the rage wrapper so rage's
plugin dispatch finds the binary under the new prefix. Stripped the
trailing host labels from the tpm recipient strings — rage's stricter
bech32 parser now rejects the trailing whitespace; labels live in
adjacent Nix comments instead.

modules/desktop-age-secrets.nix

@@ -4,11 +4,22 @@
   ...
 }:
 let
-  # Wrap rage so age-plugin-tpm is on PATH at activation time.
-  # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
-  # which age-plugin-tpm handles under its own name.
+  # age-plugin-tpm 1.0+ defaults to the new age1tag1… (p256tag) recipient
+  # encoding and refuses to encrypt to legacy age1tpm1… recipients. rage's
+  # plugin dispatch maps recipient prefixes to binaries (`age1tag1…` →
+  # `age-plugin-tag`), but nixpkgs only ships `age-plugin-tpm`. Provide a
+  # symlink so both prefixes resolve to the same binary.
+  age-plugin-tpm-with-tag = pkgs.symlinkJoin {
+    name = "age-plugin-tpm-with-tag";
+    paths = [ pkgs.age-plugin-tpm ];
+    postBuild = ''
+      ln -s age-plugin-tpm $out/bin/age-plugin-tag
+    '';
+  };
+
+  # Wrap rage so the plugin (under both names) is on PATH at activation time.
   rageWithTpm = pkgs.writeShellScriptBin "rage" ''
-    export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
+    export PATH="${age-plugin-tpm-with-tag}/bin:$PATH"
     exec ${pkgs.rage}/bin/rage "$@"
   '';
 in