feat(agw): new customer agents auth

[NicoleMGomes]

Disclaimer: Do not include SAP-internal or customer-specific information in this PR (e.g. internal system URLs, customer names, tenant IDs, or confidential configurations). This is a public repository.

Description

Adds transparent TLS mode for customer agents running under the OpenShell Gateway. In this mode the gateway intercepts the HTTPS connection and injects the mTLS client certificate at the TLS layer, so the agent process never loads certificate or private key material. The agent only needs three environment variables (CLIENT_ID, TOKEN_SERVICE_URL, GATEWAY_URL) instead of a full credentials file with embedded PEM strings.

Changes:

• config.py: new TlsMode enum (STANDARD / TRANSPARENT) and tls_mode field on ClientConfig. ClientConfig.from_env() resolves the mode from the AGW_TLS_MODE environment variable.
• _models.py: CustomerCredentials.certificate and private_key are now str | None (both are None in transparent mode).
• _customer.py:
  • detect_customer_agent_credentials(tls_mode) skips file detection when tls_mode=TRANSPARENT.
  • load_customer_credentials_from_env() — loads credentials from env vars for transparent mode.
  • _create_http_client_transparent() — creates httpx.Client without an SSL context.
  • _request_token_transparent() — sends the OAuth2 POST body without touching certificates.
  • get_system_token_transparent() and exchange_user_token_transparent() — caching-aware wrappers for the transparent token flows.
• agw_client.py: all four public methods (get_system_auth, get_user_auth, list_mcp_tools, call_mcp_tool) pass tls_mode to credential detection and branch into the transparent path when needed.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Dependency update

How to Test

Standard mode (existing behaviour — should be unchanged):

1. Ensure no AGW_TLS_MODE environment variable is set.
2. Mount a credentials file at the default path or set AGW_CREDENTIALS_PATH.
3. create_client() → list_mcp_tools() should work exactly as before.

Transparent mode (new):

1. Set AGW_TLS_MODE=transparent in the environment.
2. Set CLIENT_ID, TOKEN_SERVICE_URL, GATEWAY_URL (and optionally INTEGRATION_DEPENDENCIES).
3. Ensure HTTPS_PROXY points to a running OpenShell Gateway.
4. Run:

   from sap_cloud_sdk.agentgateway import create_client
   from sap_cloud_sdk.agentgateway.config import ClientConfig
   
   client = create_client(config=ClientConfig.from_env())
   auth = await client.get_system_auth()
   print(auth.access_token)  # token acquired via gateway-injected mTLS

5. Verify that no ssl.SSLContext is created and no temp cert/key files are written.

Unit tests:

uv run pytest tests/agentgateway/unit/test_config.py tests/agentgateway/unit/test_customer.py -q

Expected: all 51 tests pass.

Checklist

• I have read the Contributing Guidelines
• I have verified that my changes solve the issue
• I have added/updated automated tests to cover my changes
• All tests pass locally
• I have verified that my code follows the Code Guidelines
• I have updated documentation (if applicable)
• I have added type hints for all public APIs
• My code does not contain sensitive information (credentials, tokens, etc.)
• I have followed Conventional Commits for commit messages