Add cloud disconnect command

[Mr-Lucky]

Summary

Adds agentguard disconnect to remove the local Cloud connection credentials while keeping local protection active.

The command:

• removes apiKey and connectedAt from local config
• keeps the configured cloudUrl for future reconnects
• clears the pending Cloud event spool
• clears the cached Cloud policy so runtime falls back to the built-in local policy
• keeps the local audit log and installed hooks/templates untouched

Also updates the AgentGuard skill CLI documentation and exports disconnectCloud().

Type

• Bug fix
• New feature / detection rule
• Refactoring
• Documentation

Testing

• npm run build
• node --test dist/tests/runtime-cloud.test.js
• npm test

[github-actions]

AgentGuard PR Review

1. medium — src/config.ts:104-114 (disconnectCloud)
   rmSync(current.eventSpoolPath, { force: true }) and rmSync(current.policyCachePath, { force: true }) delete paths derived from config without any validation. If the config file is tampered with, these fields could point outside the AgentGuard data directory and cause unintended file deletion.
   Fix: Validate that both paths resolve under AGENTGUARD_HOME/the expected AgentGuard root before deleting, and refuse to delete otherwise.

2. medium — src/config.ts:104-114 and src/cli.ts:94-104
   The new disconnect command only removes apiKey and connectedAt, but leaves other Cloud-related state intact. If saveConfig preserves a stale cloudUrl and related connection metadata is still used elsewhere, the CLI can report a disconnected state while parts of the runtime still behave as if Cloud is configured.
   Fix: Audit all Cloud-dependent fields and ensure disconnect clears or invalidates every field that can trigger Cloud communication, or explicitly document and enforce that only the URL remains and cannot be used for reconnect/telemetry without a key.

3. low — src/tests/runtime-cloud.test.ts:60-96
   The new test writes a fake auditPath file and asserts it survives disconnect, but disconnectCloud() never touches audit files. This test does not verify the actual security-sensitive behavior introduced by the patch and could miss regressions in the cleanup logic.
   Fix: Add assertions for the config file contents after disconnect and for path containment/validation behavior on spool and policy cache paths.