secrets: add mreow + yarn TPM recipients, re-encrypt desktop secrets

modules/desktop-age-secrets.nix

@@ -4,9 +4,9 @@
   ...
 }:
 let
-  # rage cannot invoke age-plugin-tpm unless the plugin binary is on PATH at
-  # activation time. Wrap rage so the activation scripts (and anything else
-  # that picks up `age.ageBin`) get age-plugin-tpm for free.
+  # Wrap rage so age-plugin-tpm is on PATH at activation time.
+  # Both mreow and yarn use age1tpm1… recipients (legacy P-256 encoding),
+  # which age-plugin-tpm handles under its own name.
   rageWithTpm = pkgs.writeShellScriptBin "rage" ''
     export PATH="${pkgs.age-plugin-tpm}/bin:$PATH"
     exec ${pkgs.rage}/bin/rage "$@"