Add permission mode and tool restriction fields to AgentConfig

[geoffjay]

Context

Child of #78. Adds the data model fields needed for sandbox and permission mode configuration.

Changes

Add the following fields to AgentConfig, CreateAgentRequest, and AgentTemplate:

• permission_mode: Option<PermissionMode> — maps to --permission-mode CLI flag (values: default, plan, acceptEdits, dontAsk, bypassPermissions)
• allowed_tools: Vec<String> — maps to --allowed-tools flag (e.g., ["Bash(git:*)", "Read", "Grep"])
• disallowed_tools: Vec<String> — maps to --disallowed-tools flag
• tools: Vec<String> — maps to --tools flag (restricts available tool set entirely)
• skip_permissions: bool — maps to --dangerously-skip-permissions (for sandboxed environments)
• require_sandbox: bool — when true, refuse to launch if Claude Code sandbox not configured

Add a PermissionMode enum with serde serialization.

All fields default to empty/false so existing configs remain compatible.

Files

• crates/orchestrator/src/types.rs — AgentConfig, CreateAgentRequest, PermissionMode enum
• crates/cli/src/commands/apply.rs — AgentTemplate

Acceptance Criteria

• New fields added with appropriate serde defaults
• PermissionMode enum with rename_all = "camelCase" serialization
• Existing YAML templates and API requests still parse without changes
• cargo build --workspace passes