Add full client-tool policy mode types

[lsaether]

Context

#2 defined a broader client-tool policy matrix for agent-initiated ACP client requests. #36 implements the first safety slice: block fs/* and terminal/* by default, keep session/request_permission collaborative behavior, and preserve the old raw broadcast path only behind --unsafe-debug-client-tool-broadcast.

Before adding real executor-owned or selected-peer behavior, the code should grow the full policy type surface so future work does not accrete ad hoc starts_with("fs/") / starts_with("terminal/") branches.

Goal

Add the remaining policy mode types and namespace-level policy model needed for follow-up implementations, while preserving the safe runtime behavior from #36.

Desired mode vocabulary:

enum ClientToolMode {
    Block,
    UnsafeDebug,
    SinglePassThrough,
    SelfHandle,
}

single_pass_through and self_handle do not need to be operational in this issue. The important part is making them explicit, documented, and safely represented in config/CLI parsing or internal policy construction before implementing either mode.

Scope

• Extend the policy model to include SinglePassThrough and SelfHandle variants.
• Keep the current defaults unchanged:
  • fs/* -> Block
  • terminal/* -> Block
  • --unsafe-debug-client-tool-broadcast still maps the supported namespaces to UnsafeDebug
• Preserve the current unknown-method behavior unless a separate design decision changes it; this issue should not silently start blanket-blocking unrelated agent requests.
• If the new modes are parseable/configurable before they are implemented, they must fail closed:
  • do not advertise fs / terminal capabilities for unimplemented modes;
  • do not forward actionable requests to subscribers;
  • return a structured JSON-RPC error explaining that the selected mode is not implemented yet.
• Add docs/comments that explain these are scaffolding modes for future PRs.

Non-goals

• Implement single_pass_through routing.
• Implement terminalId -> peerId ownership tracking.
• Implement mux-owned fs/* or terminal/* execution.
• Reintroduce raw fanout outside the explicit unsafe-debug path.
• Change session/request_permission behavior.

Acceptance criteria

• Unit tests cover default policy construction and all ClientToolMode classifications.
• Any parser/config path for the new modes has tests.
• Integration coverage proves an unimplemented selected mode fails closed if it is externally selectable.
• Existing fix: block unsafe agent client-tool fanout #36 behavior remains green:
  • default fs/* / terminal/* blocked and not broadcast;
  • unsafe debug still preserves raw fanout;
  • blocked capabilities are not advertised;
  • permission requests still use collaborative broadcast.

Follow-up implementation issues

After this lands, split real behavior into separate focused PRs/issues:

1. single_pass_through: select one capable peer, route fs/* only to that peer, route terminal/create to that peer, and bind terminal follow-up methods to the owner peer.
2. self_handle: implement mux/executor-owned filesystem and terminal handling with root scoping, path canonicalization, denylist, terminal cleanup, and auditability.