docs: add SPIRE agent identity integration architecture

Add comprehensive architecture document for integrating SPIRE (SPIFFE
Runtime Environment) into RAG Modulo to provide cryptographic workload
identity for AI agents, MCP tools, and services.

Key sections:
- Problem statement: gaps in current user-only identity model
- SPIRE/SPIFFE concepts: SVIDs, attestation, trust domains
- Proposed architecture: identity hierarchy for all workloads
- Integration points: backend, MCP Gateway, agents, infrastructure
- Trust domain design: single vs federated architectures
- Workload registration: selectors and attestation strategies
- Implementation phases: 5-phase rollout plan
- Security considerations: threat model and best practices
- Deployment strategies: Docker Compose and Kubernetes
- MCP Context Forge integration: aligns with PR #684

This enables machine/agent IDs (AgentIDs) for the upcoming AI agent
capabilities being added via MCP Context Forge integration.

Author: claude