Review 3 docs: agent-change-process, build-authentik-container, create-authentik-secrets (#243)

## Summary
- Stamped `last-reviewed: 2026-02-22` on three never-reviewed docs
- `agent-change-process.md`: accurate, no content changes
- `build-authentik-container.md`: accurate, container image verified in registry
- `create-authentik-secrets.md`: added note about additional OIDC client secret fields added since original card was written

## Changelog
- `docs/changelog.d/doc-review/agent-change-process.doc.md` (not added — stamp-only, no user-visible change)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/243

docs/how-to/agent-change-process.md

@@ -1,6 +1,7 @@
 ---
 title: Agent Change Process
 modified: 2026-02-20
+last-reviewed: 2026-02-22
 tags:
   - how-to
   - ai

docs/how-to/authentik/build-authentik-container.md

@@ -1,6 +1,7 @@
 ---
 title: Build Authentik Container Image
 modified: 2026-02-20
+last-reviewed: 2026-02-22
 tags:
   - how-to
   - authentik

docs/how-to/authentik/create-authentik-secrets.md

@@ -1,6 +1,7 @@
 ---
 title: Create Authentik Secrets
-modified: 2026-02-20
+modified: 2026-02-22
+last-reviewed: 2026-02-22
 tags:
   - how-to
   - authentik
@@ -25,6 +26,7 @@ Create the 1Password item that the ExternalSecret references for Authentik confi
 ## Notes
 
 - The database password in this 1Password item is the same one used by the CNPG managed role via `external-secret-authentik.yaml`. Both the database ExternalSecret and the future Authentik deployment ExternalSecret reference the same 1Password item but different fields.
+- The 1Password item has since grown with OIDC client secrets (`grafana-client-secret`, `forgejo-client-secret`, `zot-client-secret`, `jellyfin-client-secret`) and an `api-token` field, added during subsequent service integrations.
 
 ## Related