boundary: move agent identity out of OSS gr2

[laynepenney]

Summary

gr2 (OSS workspace orchestrator) has agent identity code that belongs in premium per boundary policy. Identity is always premium.

Contamination points

Rust (gr2/src/dispatch.rs)

• gr2 team add creates agent.toml with name and kind fields
• gr2 team list discovers agents by scanning for agent.toml
• gr2 team remove deletes agent directories by checking agent.toml

Python

• migration.py:136 writes agent_id: "gr1:{unit_name}" into unit configs
• migration.py:202-204 reads agent_id from unit specs and persists to TOML
• spec_apply.py:377-379 persists agent_id from unit specs into TOML
• execops.py:160 reads agent_id from unit specs

What stays (clean seams)

• events.py agent_id parameter on emit() is a neutral pass-through seam. Caller-populated, no identity resolution.
• workspace.toml is gr2 workspace config, not identity.

Fix

1. Remove gr2 team add/list/remove commands from OSS dispatch.rs
2. Remove agent_id config writing from migration.py and spec_apply.py
3. Remove agent_id reading from execops.py
4. Premium reimplements these as identity management operations in synapt-private

Premium boundary: OSS orchestrates workspaces and units. Premium manages agent identity, assignment, and configuration.