Function bind_agent_pubkey 

pub fn bind_agent_pubkey(
    conn: &Connection,
    agent_id: &str,
    pubkey_b64: &str,
) -> Result<()>

Bind (or rotate) an agent’s Ed25519 public key into its _agents registration row metadata (#626 Layer-3, Task 1.3 / C3).

The pubkey is the anchor the write-path attestation gate verifies against: a signed write claiming agent_id is upgraded from claimed to attested only when its signature verifies under the key bound here. Stored under metadata.agent_pubkey (URL-safe-no-pad base64) alongside a pubkey_bound_at RFC3339 timestamp for rotation provenance.

Migration-free: the key rides in the existing registration row’s JSON metadata (no schema bump). json_set updates metadata and the mirrored content column atomically so list_agents / the verifier observe a consistent row.

The agent MUST already be registered (register_agent) — binding a key to an unregistered id is rejected so a stray pubkey can never shadow a future legitimate registration. Re-binding overwrites the previous key (key rotation / revoke-then-rebind).

Errors

• the agent is not registered (no _agents row for agent_id)
• the underlying UPDATE fails