yarn: rotate tpm identity after fTPM reset

BIOS 2423→4101 update on yarn required an fTPM reset, which broke the
sealed age identity at /var/lib/agenix/tpm-identity. Bootstrapped a new
identity against the new SRK and rotated yarn's recipient.

age-plugin-tpm 1.0+ emits age1tag1… (p256tag) recipients by default and
refuses to encrypt to legacy age1tpm1… ones, so rotated mreow's recipient
to the same encoding (same key, new bech32 HRP) and added an
age-plugin-tag→age-plugin-tpm symlink in the rage wrapper so rage's
plugin dispatch finds the binary under the new prefix. Stripped the
trailing host labels from the tpm recipient strings — rage's stricter
bech32 parser now rejects the trailing whitespace; labels live in
adjacent Nix comments instead.

AGENTS.md

@@ -122,7 +122,7 @@ New modules: pick the narrowest prefix that's true, then add the import explicit
   - **muffin**: identity is `/mnt/usb-secrets/usb-secrets-key` (ssh-ed25519 on a physical USB). Wired in `modules/usb-secrets.nix`.
   - **mreow + yarn**: identity is `/var/lib/agenix/tpm-identity` (an `age-plugin-tpm` handle sealed by the host's TPM 2.0). Wired in `modules/desktop-age-secrets.nix`; yarn persists `/var/lib/agenix` through impermanence.
 - **Recipients** are declared in `secrets/secrets.nix`. Desktop secrets are encrypted to the admin SSH key + each host's TPM recipient; server secrets stay encrypted to the muffin USB key.
-- **Bootstrap a new desktop**: run `doas scripts/bootstrap-desktop-tpm.sh` on the host. It generates a TPM-sealed identity at `/var/lib/agenix/tpm-identity` and prints an `age1tpm1…` recipient. Append it to the `tpm` list in `secrets/secrets.nix`, run `agenix -r` to re-encrypt, commit, `./deploy.sh switch`.
+- **Bootstrap a new desktop**: run `doas scripts/bootstrap-desktop-tpm.sh` on the host. It generates a TPM-sealed identity at `/var/lib/agenix/tpm-identity` and prints an `age1tag1…` recipient (legacy `age1tpm1…` recipients still decrypt but `age-plugin-tpm` 1.0+ refuses to encrypt to them; `modules/desktop-age-secrets.nix` symlinks `age-plugin-tag → age-plugin-tpm` so rage's plugin dispatch finds the binary under both prefixes). Append it to the `tpm` list in `secrets/secrets.nix` (label as a Nix `# host` comment, not as a trailing word inside the recipient string — rage's bech32 parser rejects the trailing whitespace), run `agenix -r` to re-encrypt, commit, `./deploy.sh switch`.
 - **Encrypting a new server secret** uses the SSH public key directly with `age -R`:
   ```sh
   age -R <(ssh-keygen -y -f secrets/usb-secrets/usb-secrets-key) \

modules/desktop-age-secrets.nix

@@ -4,11 +4,22 @@
   ...
 }:
 let
-  # Wrap rage so age-plugin-tpm is on PATH at activation time.
-  # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
-  # which age-plugin-tpm handles under its own name.
+  # age-plugin-tpm 1.0+ defaults to the new age1tag1… (p256tag) recipient
+  # encoding and refuses to encrypt to legacy age1tpm1… recipients. rage's
+  # plugin dispatch maps recipient prefixes to binaries (`age1tag1…` →
+  # `age-plugin-tag`), but nixpkgs only ships `age-plugin-tpm`. Provide a
+  # symlink so both prefixes resolve to the same binary.
+  age-plugin-tpm-with-tag = pkgs.symlinkJoin {
+    name = "age-plugin-tpm-with-tag";
+    paths = [ pkgs.age-plugin-tpm ];
+    postBuild = ''
+      ln -s age-plugin-tpm $out/bin/age-plugin-tag
+    '';
+  };
+
+  # Wrap rage so the plugin (under both names) is on PATH at activation time.
   rageWithTpm = pkgs.writeShellScriptBin "rage" ''
-    export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
+    export PATH="${age-plugin-tpm-with-tag}/bin:$PATH"
     exec ${pkgs.rage}/bin/rage "$@"
   '';
 in