Function handshake 

pub async fn handshake(
    cp_url: &str,
    machine_id: &str,
    clock: &ClockHandle,
    current_system_path: &Path,
    ca_cert: Option<&Path>,
    client_cert: Option<&Path>,
    client_key: Option<&Path>,
) -> RecoveryOutcome

Issue the gated first-heartbeat. Returns the recovery outcome so runtime::spawn can act on replay_from BEFORE starting workers.

cp_url is the agent’s --control-plane-url. machine_id matches the CN in the agent’s mTLS cert. The three ca_cert/client_cert/ client_key paths are threaded straight into crate::comms::build_client so the handshake rides the same mTLS identity post-Phase-7c workers use (DEFECT-003 + D-005). None for all three drops to TLS-only mode (no client cert) — acceptable for the wiremock-driven tests but never production.

Failure to reach CP is non-fatal: we return an outcome with no replay-from, and the steady-state heartbeat worker will keep retrying. Better to start the agent and have its long-poll + retries re-converge than to refuse to boot.