feat: POST /api/admin/agent-keys — system-keyed raw key minting

New admin endpoint for provisioning per-agent dialectic API keys
during recruitment. Auth via separate x-dialectic-admin-key header
matching env DIALECTIC_ADMIN_API_KEY (not bearer — admin lifecycle
is independent of agent identity).

Behavior:
- Body {agent_id, force?}; generates 32-byte hex raw key; stores
  sha256-peppered hash in agent_keys; returns raw key (ONLY time
  exposed — caller stores in agent secret-mgr)
- 409 on existing agent_id unless force:true (rotates the hash,
  clears last_used_at + revoked_at)
- Closed-by-default: if DIALECTIC_ADMIN_API_KEY env is empty, every
  request 401s

Caller pattern: skills/dialectic-hangman-lab/scripts/dialectic-ctrl
(to be added) reads admin key from
/root/.openclaw/system-secrets/dialectic-admin-key on the openclaw
host, POSTs to admin endpoint, stores returned raw key in the proxy-
for agent secret-mgr (inherits the proxy-pcexec context from
recruitment/onboard).

Unblocks Phase 3.5 plan to provision all prod agents and integrate
into recruitment skill.

internal/httpapi/routes.go

@@ -63,6 +63,7 @@ func Mount(cfg *config.Config, db *sqlx.DB, version string) http.Handler {
 	signupsH := handlers.NewSignupsHandler(topicStore, signupStore)
 	argsH := handlers.NewArgumentsHandler(topicStore, campStore, roundStore, argStore)
 	verdictH := handlers.NewVerdictHandler(topicStore, campStore, verdictStore)
+	adminH := handlers.NewAdminHandler(db, cfg.AgentAPIKeyPepper, cfg.DialecticAdminAPIKey)
 
 	// Routes.
 	r.Route("/api", func(r chi.Router) {
@@ -95,6 +96,11 @@ func Mount(cfg *config.Config, db *sqlx.DB, version string) http.Handler {
 			r.Use(requireAnyAuth)
 			r.Get("/topics/{id}/signups", signupsH.List)
 		})
+
+		// Admin: provision an agent api key. Auth is its own header
+		// (x-dialectic-admin-key against env DIALECTIC_ADMIN_API_KEY),
+		// not bearer — admin lifecycle is separate from agent identity.
+		r.Post("/admin/agent-keys", adminH.ProvisionAgentKey)
 	})
 
 	return r