permissionMode field per sub-agent

[bug-ops]

Part of #974

Background

Claude Code's agent frontmatter supports a permissionMode field that controls how the agent interacts with permission prompts: default (prompts user), acceptEdits (auto-accepts file edits), dontAsk (auto-accepts everything except shell), bypassPermissions (no prompts at all), and plan (read-only planning mode). This lets automated or trusted agents run without interactive approval while keeping interactive agents safe.

Current state in Zeph

SubAgentPermissions has secrets: bool and background: bool flags but no unified permission mode concept. The FilteredToolExecutor enforces tool policy but does not distinguish between interactive approval and automatic bypass. Zeph currently has no interactive permission prompt system.

Implementation

1. Define PermissionMode enum:

   pub enum PermissionMode {
       Default,            // tools follow normal ToolPolicy; destructive tools may prompt
       AcceptEdits,        // file write/edit tools are auto-approved
       DontAsk,            // all tools auto-approved except shell (requires explicit allow)
       BypassPermissions,  // all tools auto-approved including shell
       Plan,               // no tool calls permitted; agent output is plan text only
   }

2. Add permission_mode: PermissionMode to SubAgentDef and AgentFileSpec.

3. Integrate into FilteredToolExecutor:

   • Plan mode: all tool calls return Err(ToolBlocked::PlanMode) immediately.
   • BypassPermissions: skip all policy checks.
   • DontAsk: auto-approve all except shell; shell requires explicit allow.
   • AcceptEdits: auto-approve write_file, edit_file, create_file without prompting.
   • Default: existing behavior unchanged.

4. Add permission_mode to the [agent] TOML config section for runtime override.

5. CLI flag: --permission-mode <mode> for agent run subcommand.

Acceptance criteria

• permission_mode: plan blocks all tool calls and returns a typed error.
• permission_mode: bypass_permissions skips FilteredToolExecutor policy evaluation entirely.
• permission_mode: dont_ask permits all non-shell tools automatically.
• permission_mode: accept_edits auto-approves file mutation tools.
• PermissionMode implements serde::Deserialize with #[serde(rename_all = "snake_case")].
• Unit tests cover each mode variant's allow/block behavior.
• cargo nextest run -p zeph-core passes.

Technical notes

• PermissionMode::Default maps to current FilteredToolExecutor logic — no behavioral change for existing agents.
• Plan mode system prompt injection: prepend a system message reminding the agent it is in plan-only mode (belt-and-suspenders alongside the tool block).
• Keep PermissionMode in zeph-core/src/subagent/permission.rs.
• --permission-mode bypass_permissions should emit a warn! log entry noting the elevated permission level.