#7892: Claude/setup agent firewall ww xsv

<!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds a “firewall” hardening layer around agent behavior/config: it disables runtime SOUL.md hot-swapping (`src/hooks/soul-evil.ts`), introduces a Tailscale-gated internal Config API (`src/internal/config-api.ts`), a unified config loader with API-first + disk fallback (`src/internal/config-loader.ts`), and a JSONL security event logger (`src/internal/security-logger.ts`). It also wires the loader into workspace template/bootstrap file creation (`src/agents/workspace.ts`) and adds tests for the new modules. Key issues to address before merge are around the new secure config loader integration and test reliability: `workspace.ts` currently calls `loadConfigFile()` with docs template filenames that the loader can’t resolve (so the “secure” path won’t actually be used), the integrity-failure fallback guard is based on a substring that doesn’t match the thrown error messages, and config-api tests are likely to fail in environments without Tailscale because `getTailscaleBinary()` isn’t mocked even though exec is. <h3>Confidence Score: 2/5</h3> - This PR has meaningful functional changes, but there are a couple of high-severity correctness/testability issues that should be fixed before merging. - Score is reduced due to (1) the secure config loader integration in `workspace.ts` appearing non-functional (wrong filename mapping) and (2) unit tests for the config API likely failing in CI because `getTailscaleBinary()` is still called even when exec is mocked. The remaining concerns are smaller correctness/robustness issues. - src/agents/workspace.ts, src/internal/config-api.ts, src/internal/config-api.test.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->