docs: add SPIFFE/SPIRE integration architecture for agent identity

This architecture document outlines how to integrate SPIRE (SPIFFE Runtime
Environment) into RAG Modulo to provide cryptographic workload identities
for AI agents. This enables zero-trust agent authentication and secure
agent-to-agent (A2A) communication.

Key architectural decisions:
- JWT-SVIDs for stateless verification (vs X.509 for mTLS)
- Trust domain: spiffe://rag-modulo.example.com
- Integration with IBM MCP Context Forge (PR #684)
- Capability-based access control for agents
- 5-phase implementation plan

Agent types defined:
- search-enricher: MCP tool invocation
- cot-reasoning: Chain of Thought orchestration
- question-decomposer: Query decomposition
- source-attribution: Document source tracking
- entity-extraction: Named entity recognition
- answer-synthesis: Answer generation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: manavgup