Add config-driven agent governance

[srimon12]

Summary

This PR adds config-driven governance for local Operator agents and delegated runs.

The main change is a hard gate at tool execution time. Agents can now be assigned named policies from config.json, and delegated/background runs can be downscoped safely. This makes multi-agent usage practical without relying on prompt-only restrictions.

What Changed

• Added a GovernanceProfile and enforced tool access in the ToolRegistry
• Added named policies to config and bound them to agents through agents.list[].policy
• Added path restrictions for filesystem, patch, and terminal tools
• Protected runtime config and repo/code paths from agent access
• Passed governance and protected-path context into local agents and background subagents
• Removed misleading capability text from localagents
• Updated setup flow so:
  • quick setup stays single-agent
  • full TUI setup supports per-agent policy configuration

Why

Operator already supports multiple local agents and delegation, but delegated agents were effectively over-privileged by default. This change introduces a runtime-enforced governance layer so agents can be specialized safely while staying config-driven.

Validation

• Added and updated tests for config loading, registry enforcement, delegation, path restrictions, and agent flows
• Ran real E2E verification with restricted and delegated tool usage