agent: secrets fail-loud on corrupt blob + small polish

Save and SaveAdmin now propagate loadBundle errors instead of silently
overwriting a corrupt file (data-loss fix). Tests added for both paths.
reportStats logs a Debug on RunStats failure; r in runJob gets a comment
explaining the prune-runner asymmetry; runner_test comment tightened.

internal/agent/secrets/secrets.go

@@ -161,7 +161,10 @@ func (s *Store) Load() (Repo, error) {
 // Save replaces the repo slot on disk atomically, preserving the
 // admin slot. Mode is 0600. Parent directory must already exist.
 func (s *Store) Save(r Repo) error {
-	b, _ := s.loadBundle() // ignore read errors; we overwrite repo slot
+	b, err := s.loadBundle()
+	if err != nil {
+		return fmt.Errorf("secrets: load before save: %w", err)
+	}
 	b.Repo = r
 	return s.saveBundle(b)
 }
@@ -182,7 +185,10 @@ func (s *Store) LoadAdmin() (Repo, error) {
 // SaveAdmin replaces the admin slot on disk atomically, preserving
 // the repo slot. Mode is 0600.
 func (s *Store) SaveAdmin(r Repo) error {
-	b, _ := s.loadBundle() // ignore read errors; we overwrite admin slot
+	b, err := s.loadBundle()
+	if err != nil {
+		return fmt.Errorf("secrets: load before save: %w", err)
+	}
 	b.Admin = &r
 	return s.saveBundle(b)
 }