feat: add SPIFFE/SPIRE configuration for agent identity

Add environment variables to support SPIFFE workload identity integration
for AI agents and services. This enables cryptographic machine identity
with configurable migration phases:

- SPIFFE_ENABLED: Toggle SPIFFE integration
- SPIFFE_AUTH_MODE: Migration phases (disabled→optional→preferred→required)
- SPIFFE_ENDPOINT_SOCKET: SPIRE Agent Workload API socket
- SPIFFE_TRUST_DOMAIN: Trust domain for identity hierarchy
- SPIFFE_LEGACY_JWT_WARNING: Track legacy auth usage during migration
- SPIFFE_SVID_TTL_SECONDS: Certificate lifetime configuration
- SPIFFE_JWT_AUDIENCES: Allowed JWT-SVID audiences

Related to: MCP Context Forge integration (PR #684)

Author: claude

.env.example

@@ -180,3 +180,32 @@ RERANKER_BATCH_SIZE=10
 BACKEND_IMAGE=ghcr.io/manavgup/rag_modulo/backend:latest
 FRONTEND_IMAGE=ghcr.io/manavgup/rag_modulo/frontend:latest
 TEST_IMAGE=ghcr.io/manavgup/rag_modulo/backend:latest
+
+# ================================
+# SPIFFE/SPIRE IDENTITY (Agent/Machine Identity)
+# ================================
+# Enable SPIFFE workload identity for agents and services
+# See: https://spiffe.io/docs/latest/spire-about/spire-concepts/
+SPIFFE_ENABLED=false
+
+# Authentication mode for migration (disabled|optional|preferred|required)
+# - disabled: No SPIFFE support (current default)
+# - optional: Accept both user JWT and SPIFFE JWT-SVID
+# - preferred: Prefer SPIFFE, log warning on legacy JWT
+# - required: Only SPIFFE JWT-SVIDs accepted for workloads
+SPIFFE_AUTH_MODE=disabled
+
+# SPIRE Agent Workload API socket path
+SPIFFE_ENDPOINT_SOCKET=unix:///run/spire/agent/api.sock
+
+# SPIFFE trust domain for this environment
+SPIFFE_TRUST_DOMAIN=rag-modulo.local
+
+# Log warning when legacy JWT is used (for migration tracking)
+SPIFFE_LEGACY_JWT_WARNING=false
+
+# Default SVID TTL in seconds (default: 3600 = 1 hour)
+SPIFFE_SVID_TTL_SECONDS=3600
+
+# Allowed JWT-SVID audiences (comma-separated)
+SPIFFE_JWT_AUDIENCES=rag-modulo,mcp-gateway