Restrict worker follow-up artifact writes

[pmbstyle]

Motivation

• Fix a security regression where worker-result follow-up could invoke fs_write against arbitrary workspace-relative paths based on untrusted worker output, allowing overwrites of sensitive workspace files.
• Limit automatic persistence of worker-returned content to durable artifact roots to prevent prompt-injected worker output from corrupting runtime configuration or templates.
• Preserve existing worker-local and explicitly shared-path behavior for normal worker operations while narrowing the follow-up route surface.

Description

• Narrow the worker-followup guidance so the follow-up model is told to use fs_write only for paths under the durable roots (reports/ and artifacts/).
• Change the worker-followup tool context so ctx includes workspace_root, allowed_paths=list(_DURABLE_WORKSPACE_ROOTS), and restrict_to_allowed_paths=True when resolving follow-up tool calls.
• Hardening of filesystem helpers by introducing a _FilesystemPaths helper and a restrict_to_allowed_paths flag in _resolve_tool_path so callers can force enforcement of allowed_paths checks.
• Add unit tests that assert fs_write under a restricted context can write to reports/ but is blocked from overwriting sensitive workspace files, and a test that the follow-up tool context is configured with the restricted paths.

Testing

• Ran static checks with uv run ruff check which passed for the modified files.
• Ran formatting checks with uv run black --check which passed for the changed files.
• Performed smoke validations via uv run python small scripts that exercised fs_write under a restricted context and exercised _get_worker_followup_tools, confirming allowed writes succeed and disallowed writes are blocked.
• Attempted to run uv run python -m pytest for the new tests but pytest could not be executed in the current environment because pytest is not installed in the active venv and dev-dependency installation was blocked by network/package fetch errors.

---

Codex Task