guardrails: safe agents and workflow commands

[terisuke]

Parent epic: #1

Source brief:

• docs/ai-guardrails/issues/004-safe-agents-and-commands.md
• docs/ai-guardrails/migration/claude-code-skills-inventory.md

Problem

Raw built-in agents are too permissive for an internal product. The repo needs a safer default operating model for implementation, review, and release workflows.

Deliverables

• hardened default primary agent
• review-oriented subagent
• slash commands for /implement, /review, /ship, and /handoff
• explicit permission policy for dangerous shell patterns and write operations

Acceptance

• default agent is not an unrestricted build clone
• review workflow can run without edit access
• release workflow cannot bypass explicit gates

Notes

• Follow the thin-distribution approach from docs/ai-guardrails/adr/001-thin-distribution-over-deep-fork.md
• Preserve the philosophy imported from claude-code-skills epic feat(guardrails): Wave 8 — review fixes + remaining hooks + multi-model delegation #130: mechanism-first guardrails, fast feedback, pointer-based instructions, and runtime verifiability
• Prefer OpenCode-native config/profile/plugin/command/CI surfaces over core patches

Dependencies

• epic: internal AI guardrails thin distribution for Cor-Incorporated #1
• guardrails: plugin MVP for policy enforcement #4
• docs/ai-guardrails/migration/claude-code-skills-inventory.md

[terisuke]

This issue is in the now-required set for the MVP floor tracked in #16. It should stay focused on safe local-runtime workflows and should not silently absorb later CI or broader migration scope.

[terisuke]

Starting implementation from the source canon and the local brief. Scope for this PR: guarded primary agent, read-only review subagent, and explicit implement/review/ship/handoff commands only. CI authority and broader migration stay out of scope per #16.