docs: agent tunnel gateway identity & endpoint resolution design

Captures the root cause behind silent enrollment-success-but-no-tunnel
failures we hit during integration testing, the constraints we've
confirmed with the team, and the proposed redesign:

- Decouple Gateway's cryptographic identity (server cert SAN) from its
  network reachability (the host agents dial). Replace single conf.hostname
  with AgentTunnel.AdvertisedNames (multi-SAN, label-able).
- Agent derives its QUIC endpoint from the host it enrolled through
  (jet_gw_url) + a quic_port returned by the gateway, instead of accepting
  whatever hostname the gateway dictates.
- Gateway validates enrollment URL host against AdvertisedNames upfront,
  with a structured 400 response carrying error/message/help.
- New agent.exe verify-tunnel subcommand wired into the MSI CA so install
  success means the tunnel is actually up, not just that a cert was
  written. Errors expose a structured kind/detail/next_step triple.
- DVLS enrollment-string UI becomes a dropdown over AdvertisedNames
  (refreshed from gateway diagnostics) instead of a free-text URL box.

Includes a 9-entry error catalog with operator-facing next-step text,
non-goals (single-use enforcement, gateway farms — deferred), migration
path, and a 5-PR implementation plan.

Includes Codex's review.

Author: irvingoujAtDevolution