feat: wire permission checker into engine tool execution

Tools now go through permission.Checker before executing:
- plan mode: denies all writes (fs.write, bash), allows reads
- bypass mode: allows all (deny rules still enforced)
- default mode: prompts user (pipe: stdin prompt, TUI: auto-approve for now)
- accept_edits: auto-allows file ops, prompts for bash
- deny mode: denies all without allow rules

CLI flags: --permission <mode>, --incognito
Pipe mode: console Y/N prompt on stderr
TUI mode: auto-approve (proper overlay TODO)

Verified: plan mode correctly blocks fs.write, model sees error.

internal/engine/engine.go

@@ -6,6 +6,7 @@ import (
 	"log/slog"
 
 	"somegit.dev/Owlibou/gnoma/internal/message"
+	"somegit.dev/Owlibou/gnoma/internal/permission"
 	"somegit.dev/Owlibou/gnoma/internal/provider"
 	"somegit.dev/Owlibou/gnoma/internal/router"
 	"somegit.dev/Owlibou/gnoma/internal/security"
@@ -17,8 +18,9 @@ type Config struct {
 	Provider provider.Provider  // direct provider (used if Router is nil)
 	Router   *router.Router     // nil = use Provider directly
 	Tools    *tool.Registry
-	Firewall *security.Firewall // nil = no scanning
-	System   string             // system prompt
+	Firewall    *security.Firewall    // nil = no scanning
+	Permissions *permission.Checker  // nil = allow all
+	System      string               // system prompt
 	Model    string             // override model (empty = provider default)
 	MaxTurns int                // safety limit on tool loops (0 = unlimited)
 	Logger   *slog.Logger