ADR-0013: backend — AgentConfig/MCPServerConfig/ToolPolicy schemas + mcp_client.py runtime

[thinmintdev]

Implements the backend half of ADR-0013 — MCP-client allow-list for bundled agents.

Scope

Schemas (in src/hal0/config/schema.py)

• AgentConfig — top-level /etc/hal0/agents/<name>.toml shape.
• MCPServerConfig — per-server entry (url, enabled, auth.kind, auth.env, builtin).
• ToolPolicy — allow: list[str], gated: list[str], blocked: list[str].
• Pydantic validators enforce: schema_version pinning, default-deny invariants, installer-pinned blocked lists survive merges, no overlap between allow / gated / blocked.

Runtime (src/hal0/agents/mcp_client.py)

• Loads /etc/hal0/agents/<name>.toml at agent-process startup.
• Connects only to enabled servers in [mcp.servers.*].
• Per-call tool classification: rejects unknown tools client-side with tool.not_permitted error code.
• gated tools enqueue via ADR-0004's approval queue (re-use existing ApprovalRequest envelope).
• Filesystem MCPs: rewrite tool args to pin server-side root to workspace; reject ../ / absolute paths client-side.
• Tokens loaded from systemd-credential or 0600 env file — never on the command line.

Out of scope (separate issues)

• installer/agents/hermes.sh config writer (ADR-0013 installer issue)
• Dashboard /agents/mcp per-agent view (ADR-0013 dashboard issue)
• Docs (ADR-0013 docs issue)

Acceptance

• Unit tests cover the three-tier classification + path-rewrite + token-loading paths.
• Integration test: spin a stub MCP server, register it in a test config, assert allow/gated/blocked behavior end-to-end.
• Schema-validation failures emit structured config.agent_invalid errors per the error-envelope contract.