per-agent send allow-list via hyperhive.allowedRecipients

new NixOS option in harness-base.nix:
  hyperhive.allowedRecipients = [ 'alice' 'manager' ];  # whitelist
  hyperhive.allowedRecipients = [ ];                    # default = unrestricted

module writes the list as JSON to /etc/hyperhive/send-allow
.json at activation. AgentServer::send reads the file before
issuing the broker request; if the list is non-empty and
`to` isn't on it, the tool returns a claude-readable refusal
string without touching the broker. the manager is always
implicitly permitted regardless of the list — otherwise a
misconfigured allow-list could strand a sub-agent without an
escalation path.

enforcement is in the in-container MCP server (not on the
host's per-agent socket) because the agent's nix config is the
trust boundary anyway — the operator audits agent.nix at
deploy time, the activation-time /etc/hyperhive/send-allow
.json is r/o under /nix/store, so the agent can't tamper at
runtime without going through a new approval.

agent prompt mentions the option + tells claude to route
through the manager when refused. retires the matching TODO
under Permissions / policy.

TODO.md

@@ -3,17 +3,6 @@
 Pick anything from here when relevant. Cross-cutting design notes live in
 [CLAUDE.md](CLAUDE.md); high-level project intro in [README.md](README.md).
 
-## Permissions / policy
-
-- **Per-agent send allow-list.** Today any agent can `send` to any
-  other recipient (peer, manager, operator). Add a per-agent
-  policy that constrains the `to` field — declared in `agent.nix`,
-  e.g. `hyperhive.allowedRecipients = [ "manager" "alice" ]`.
-  Broker rejects with an `Err { message }` when the policy denies.
-  Default: unrestricted (back-compat). The manager can still
-  always send anywhere. Useful for sandboxing untrusted sub-agents
-  so they can only talk to the manager, not other sub-agents.
-
 ## Security
 
 - **Unprivileged containers (userns mapping).** Today the nspawn container