Function validate_agent_id 

pub fn validate_agent_id(agent_id: &str) -> Result<()>

Validate an agent identifier (NHI-hardened) for wire-side use.

Calls validate_agent_id_shape for the shape check, then rejects the RESERVED_AGENT_IDS reserved-name set (issue #977) so wire callers cannot spoof an internal CallerContext principal. Internal callers constructing CallerContext::for_admin directly do not traverse this validator and remain unaffected; internal keypair load/generate uses validate_agent_id_shape (shape-only) so the daemon’s "daemon"-labelled self-signing keypair still loads.

This is the function every WIRE entry point MUST call:

• HTTP X-Agent-Id header / body agent_id field (crate::identity::resolve_http_agent_id)
• MCP-tool agent_id input (validated at each tool’s entry point)
• HTTP admin endpoints
• CLI --as-agent / identity generate