v0.9.4 — vf-clide REPL permission ceiling + denial wording

vf-clide UX release (0.3.1). No engine change (engine stays at 0.9.2). Two changes to the agent's permission UX.

REPL honors the permission ceiling

In the interactive --agent REPL, a tool call at or below the active ceiling (--yes → ReadOnly,
--allow-mutating → Mutating, --allow-shell → Exec, cumulative) is now auto-approved — and still printed,
so you see every tool that ran — and only a call above the ceiling prompts y/N.

Previously the REPL prompted for every call and the flags only took effect headless. So --agent --yes now
stops asking about reads, --allow-mutating stops asking about writes, and so on, while anything above the
ceiling still asks. This is consistent with headless, not laxer: workspace confinement still bounds the file
tools independently, and shell is still only auto-approved with --allow-shell.

Headless -p is unchanged — a call above the ceiling is denied (not prompted), byte-for-byte as before.

Denial wording in the constitution

The built-in agent system prompt now distinguishes the two kinds of denial so the model stops claiming it needs
"elevated permissions" or that a target is "system-critical":

• a permission denial (a tool above the current ceiling) is lifted only by re-running with
  --allow-mutating / --allow-shell — never OS or filesystem permissions;
• a workspace-confinement denial (a path outside the workspace) is absolute — no flag overrides it.

---

Versions: engine 0.9.2 (unchanged), vf-clide 0.3.0 → 0.3.1. Validated on AMD RX 9070 XT (RADV/gfx1201),
Mesa 26.1.2.