feat(agent): give chat scoped utility tools

[JaimeCernuda]

Summary

• Gives chat-mode local utility questions a per-turn scoped DSPy ReAct surface.
• Exposes only tools marked visible to chat in tools/catalog.py; scientific tools remain behind their owning experts.
• Wraps chat-visible tools through _execute_tool_action() so permission checks, trace recording, tool telemetry, and expert handoff metadata stay on the normal CLIO path.
• Allows exact safe local shell diagnostics (date, get-date, pwd, whoami, hostname) while keeping arbitrary shell gated/denied without a no-session 120s permission wait.
• Updates TASK.md with live ALCF evidence for the slice.

Verification

• uv run ruff check --fix src/clio_agent/agent.py src/clio_agent/gact/app.py src/clio_agent/signatures/main_agent_sig.py tests/test_core/test_agent_planner.py tests/test_gact/test_permission_gate.py
• uv run ruff format src/clio_agent/agent.py src/clio_agent/gact/app.py src/clio_agent/signatures/main_agent_sig.py tests/test_core/test_agent_planner.py tests/test_gact/test_permission_gate.py
• uv run pytest tests/test_gact/test_permission_gate.py::test_builtin_shell_tool_allows_safe_diagnostic_command tests/test_gact/test_permission_gate.py::test_builtin_shell_tool_still_gates_non_diagnostic_command -q -> 2 passed
• uv run pytest tests/test_core/test_agent_planner.py::TestChatAgentNoBypass tests/test_core/test_agent_dispatch.py tests/test_gact/test_permission_gate.py -q -> 52 passed
• uv run pytest tests/ -> 1162 passed, 37 skipped
• Live ALCF Metis gpt-oss-120b GACT check on http://127.0.0.1:17966, routing_mode=chat, prompt: What is the current time on this machine? Please answer using the local utility tool. Result: error_info=null, selected route part chat, one visible shell_bash(date) call with ok=true, stdout Sunday, May 24, 2026 1:11:11 AM, and utility direct-tool handoff success.