fix: SPIRE Agent crash on fresh clones (tls: illegal parameter)

Root cause: tpmPlugin was nil on fresh clones because tpm_plugin_cli.py
path lookup only checked $HOME/AegisSovereignAI/..., which doesn't exist
for repos cloned elsewhere. Without tpmPlugin, PreferPKCS1v15 TLS policy
was not applied, causing Go to use RSA-PSS (default in TLS 1.3) which
the TPM App Key cannot sign with, resulting in 'tls: illegal parameter'.

Fixes:
- test_agents.sh: export TPM_PLUGIN_CLI_PATH before SPIRE agent start
- client.go: add binary-relative path detection + UDS-only fallback

Verified: all integration tests pass on fresh clone (10.1.0.10).

Author: ramkri123

hybrid-cloud-poc/test_agents.sh

@@ -2721,6 +2721,16 @@ AGENT_CONFIG="${PROJECT_DIR}/python-app-demo/spire-agent.conf"
         export TPM_PLUGIN_ENDPOINT="unix:///tmp/spire-data/tpm-plugin/tpm-plugin.sock"
     fi
 
+    # Set TPM_PLUGIN_CLI_PATH so agent can find the TPM plugin CLI on any clone location
+    # Without this, PreferPKCS1v15 TLS policy won't be applied and the agent will crash
+    if [ -z "${TPM_PLUGIN_CLI_PATH:-}" ]; then
+        TPM_CLI_CANDIDATE="${SCRIPT_DIR}/tpm-plugin/tpm_plugin_cli.py"
+        if [ -f "${TPM_CLI_CANDIDATE}" ]; then
+            export TPM_PLUGIN_CLI_PATH="$(cd "$(dirname "${TPM_CLI_CANDIDATE}")" && pwd)/$(basename "${TPM_CLI_CANDIDATE}")"
+            echo "    TPM_PLUGIN_CLI_PATH=${TPM_PLUGIN_CLI_PATH}"
+        fi
+    fi
+
     # Verify TPM_PLUGIN_ENDPOINT is using UDS format (not TCP/IP)
     if ! echo "${TPM_PLUGIN_ENDPOINT}" | grep -q "^unix://"; then
         echo -e "${RED}    ✗ ERROR: TPM_PLUGIN_ENDPOINT must use UDS format (unix://), got: ${TPM_PLUGIN_ENDPOINT}${NC}"

spire-fork/pkg/agent/client/client.go

@@ -143,10 +143,21 @@ func newClient(c *Config) *client {
 	if fflag.IsSet(fflag.FlagUnifiedIdentity) {
 		pluginPath := os.Getenv("TPM_PLUGIN_CLI_PATH")
 		if pluginPath == "" {
+			// Look for the TPM plugin CLI in common locations
 			possiblePaths := []string{
 				"/tmp/spire-data/tpm-plugin/tpm_plugin_cli.py",
 				filepath.Join(os.Getenv("HOME"), "AegisSovereignAI/hybrid-cloud-poc/tpm-plugin/tpm_plugin_cli.py"),
 			}
+			// Also check relative to SPIRE binary location (handles fresh clones)
+			if exe, err := os.Executable(); err == nil {
+				exeDir := filepath.Dir(exe)
+				// binary is typically at <repo>/build/spire-binaries/spire-agent
+				// tpm_plugin_cli.py is at <repo>/hybrid-cloud-poc/tpm-plugin/tpm_plugin_cli.py
+				repoRoot := filepath.Join(exeDir, "..", "..")
+				possiblePaths = append(possiblePaths,
+					filepath.Join(repoRoot, "hybrid-cloud-poc/tpm-plugin/tpm_plugin_cli.py"),
+				)
+			}
 			for _, path := range possiblePaths {
 				if _, err := os.Stat(path); err == nil {
 					pluginPath = path
@@ -155,12 +166,18 @@ func newClient(c *Config) *client {
 			}
 		}
 
+		tpmPluginEndpoint := os.Getenv("TPM_PLUGIN_ENDPOINT")
+		if tpmPluginEndpoint == "" {
+			tpmPluginEndpoint = "unix:///tmp/spire-data/tpm-plugin/tpm-plugin.sock"
+		}
+
 		if pluginPath != "" {
-			tpmPluginEndpoint := os.Getenv("TPM_PLUGIN_ENDPOINT")
-			if tpmPluginEndpoint == "" {
-				tpmPluginEndpoint = "unix:///tmp/spire-data/tpm-plugin/tpm-plugin.sock"
-			}
 			cl.tpmPlugin = tpmplugin.NewTPMPluginGateway(pluginPath, "", tpmPluginEndpoint, c.Log)
+		} else {
+			// Even without CLI, initialize with just UDS endpoint for mTLS signing support
+			// This ensures PreferPKCS1v15 TLS policy is applied on fresh clones
+			c.Log.Info("Unified-Identity: TPM plugin CLI not found, initializing gateway with UDS endpoint only")
+			cl.tpmPlugin = tpmplugin.NewTPMPluginGateway("", "", tpmPluginEndpoint, c.Log)
 		}
 	}