fix(opencode): add read-only tool permissions for composer and steering agents (#405)

[randomm]

Fixes #405

What changed

• Added READONLY_TOOLS constant to agent.ts with restrictive read-only permissions
• Updated composer agent to use READONLY_TOOLS (was { "*": "deny" } with no allows)
• Updated steering agent to use READONLY_TOOLS (was { "*": "deny" } with no allows)
• Added 13 tests verifying tool visibility and bash pattern restrictions

Root cause

Both composer and steering agents had "*": "deny" with no explicit tool allows. The disabled() function correctly hid ALL tools because there were no non-wildcard allow rules to satisfy the hasSpecificAllow check. This made the Composer agent unable to read source files for task decomposition, causing taskctl start to fail.

READONLY_TOOLS configuration

{
  "*": "deny",
  read: "allow",
  grep: "allow",
  glob: "allow",
  list: "allow",
  codesearch: "allow",
  bash: {
    "vipune *": "allow",
    "colgrep *": "allow",
    "oo help *": "allow",
    "oo gh issue view *": "allow",
    "oo gh issue list *": "allow",
    "oo recall *": "allow",
  },
  external_directory: { [Truncate.GLOB]: "allow" },
}

Write tools (edit, write, patch) remain denied. Bash access is restricted to safe read-only commands only — dangerous commands like rm, curl, git push are denied.

Test plan

• composer/steering: read tools visible via disabled()
• composer/steering: write tools disabled via disabled()
• composer/steering: evaluate() returns "allow" for read/grep/glob/list/codesearch
• composer/steering: evaluate() returns "deny" for bash wildcard "*"
• composer/steering: evaluate() returns "deny" for edit/write/patch
• composer: safe bash patterns allowed (vipune, colgrep, oo help, oo gh issue view/list, oo recall)
• composer: dangerous bash commands denied (rm, curl, git push, git add, cat ~/.ssh)
• steering: safe bash patterns allowed (vipune, colgrep)
• steering: dangerous bash commands denied (rm, curl)
• user config override via merge (last-match-wins)