feat: gate AI chat tools by Ask/Edit/Agent mode

[datlechin]

Summary

Wires the AI chat mode picker (Ask / Edit / Agent) to actual provider behavior. The picker was layout-only since PR A; now the selected mode filters which tools are exposed to the provider, blocks disallowed tools at execution time, and adds a short mode note to the system prompt. Implements the PR D row in docs/refactor/ai-chat-redesign.md.

• Ask: read-only tools only (list_connections, get_connection_status, list_databases, list_schemas, list_tables, describe_table, get_table_ddl).
• Edit: read-only tools plus execute_query (SELECT/INSERT/UPDATE/DELETE). confirm_destructive_operation stays blocked.
• Agent: full tool access including confirm_destructive_operation.

The connection's safe mode policy still gates execution, so the user remains the final approver. Mode picker .help text now describes the active mode in one line.

Test plan

• swiftlint lint --strict passes on changed files
• New tests in ChatToolRegistryModeTests cover Ask/Edit/Agent gating, isToolAllowed parity with allSpecs(for:), and unknown-tool behavior
• New tests in ExecuteToolUsesTests confirm blocked tools return isError: true without invoking the registered tool stub
• Existing ExecuteToolUsesTests updated to pass mode: .agent for behavioral parity
• Manual: switch mode in panel; observe that Ask cannot run queries, Edit can run SELECT but not destructive DDL, Agent can request destructive DDL

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.