chore(security): pin TLSv1.2 floor on control-plane mTLS clients

Follow-up to V9.1.4 (which covered only the syslog forwarder/listener): set
ctx.minimum_version = TLSVersion.TLSv1_2 on the remaining DECNET-owned mTLS
client contexts — AgentClient (_build_client + _fetch_peer_fingerprint),
UpdaterClient (_build_client + _fetch_peer_fingerprint), and the updater
executor's worker context. Pure hardening, no behavior change for TLS1.2+
peers (confirmed by the existing mTLS round-trip suites).

Deliberately EXCLUDED — hardening these would be counterproductive:
- templates/https/server.py, templates/rdp/server.py: honeypot listeners,
  where looking weak/old is part of the deception.
- prober/tlscert.py: outbound TLS fingerprinting prober, which must speak
  whatever the attacker's target offers.

Added a floor-assertion test (spies httpx.AsyncClient to capture the real
verify= context).

decnet/updater/executor.py

@@ -519,6 +519,7 @@ def _probe_agent(
     if not (worker_key.is_file() and worker_crt.is_file() and ca.is_file()):
         return False, f"no mTLS bundle at {agent_dir}"
     ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
     ctx.load_cert_chain(certfile=str(worker_crt), keyfile=str(worker_key))
     ctx.load_verify_locations(cafile=str(ca))
     ctx.verify_mode = ssl.CERT_REQUIRED