per-agent send allow-list via hyperhive.allowedRecipients

new NixOS option in harness-base.nix:
  hyperhive.allowedRecipients = [ 'alice' 'manager' ];  # whitelist
  hyperhive.allowedRecipients = [ ];                    # default = unrestricted

module writes the list as JSON to /etc/hyperhive/send-allow
.json at activation. AgentServer::send reads the file before
issuing the broker request; if the list is non-empty and
`to` isn't on it, the tool returns a claude-readable refusal
string without touching the broker. the manager is always
implicitly permitted regardless of the list — otherwise a
misconfigured allow-list could strand a sub-agent without an
escalation path.

enforcement is in the in-container MCP server (not on the
host's per-agent socket) because the agent's nix config is the
trust boundary anyway — the operator audits agent.nix at
deploy time, the activation-time /etc/hyperhive/send-allow
.json is r/o under /nix/store, so the agent can't tamper at
runtime without going through a new approval.

agent prompt mentions the option + tells claude to route
through the manager when refused. retires the matching TODO
under Permissions / policy.

hive-ag3nt/src/mcp.rs

@@ -149,6 +149,9 @@ impl AgentServer {
     async fn send(&self, Parameters(args): Parameters<SendArgs>) -> String {
         let log = format!("{args:?}");
         let to = args.to.clone();
+        if let Err(refusal) = check_send_allowed(&to) {
+            return run_tool_envelope("send", log, async move { refusal }).await;
+        }
         run_tool_envelope("send", log, async move {
             let resp = client::request::<_, hive_sh4re::AgentResponse>(
                 &self.socket,
@@ -627,6 +630,54 @@ pub fn builtin_tools_arg() -> String {
 /// `mcp__<key>__<tool>` pattern in `--allowedTools`.
 const EXTRA_MCP_PATH: &str = "/etc/hyperhive/extra-mcp.json";
 
+/// Where the NixOS module writes the per-agent send allow-list (see
+/// `nix/templates/harness-base.nix`). Empty list = unrestricted (the
+/// default). Non-empty list constrains `mcp__hyperhive__send`'s `to`
+/// field; the manager is always implicitly permitted regardless of
+/// the list contents.
+const SEND_ALLOW_PATH: &str = "/etc/hyperhive/send-allow.json";
+
+/// Enforce the per-agent send allow-list. Returns `Ok` when the
+/// recipient is permitted (no list configured, manager always
+/// allowed, or `to` is in the list); returns `Err(refusal)` with a
+/// claude-readable string when blocked — the harness surfaces the
+/// refusal as the tool result so claude knows the message didn't
+/// land and can react (e.g. route via the manager instead).
+fn check_send_allowed(to: &str) -> Result<(), String> {
+    if to == hive_sh4re::MANAGER_AGENT {
+        // Always allow agents to talk to the manager — otherwise a
+        // misconfigured allow-list could leave a sub-agent unable
+        // to ask for help.
+        return Ok(());
+    }
+    let Ok(raw) = std::fs::read_to_string(SEND_ALLOW_PATH) else {
+        return Ok(()); // file missing → no policy configured → unrestricted
+    };
+    let allow: Vec<String> = match serde_json::from_str(&raw) {
+        Ok(v) => v,
+        Err(e) => {
+            tracing::warn!(
+                path = SEND_ALLOW_PATH,
+                error = ?e,
+                "send allow-list parse failed; falling back to unrestricted",
+            );
+            return Ok(());
+        }
+    };
+    if allow.is_empty() {
+        return Ok(()); // empty list = unrestricted (back-compat)
+    }
+    if allow.iter().any(|n| n == to) {
+        return Ok(());
+    }
+    Err(format!(
+        "send refused: recipient '{to}' not in hyperhive.allowedRecipients \
+         (configured in agent.nix). Allowed: {allow:?}. The manager is \
+         always reachable — route through `send(to: \"manager\", …)` if \
+         you need to reach someone outside the allow-list."
+    ))
+}
+
 #[derive(Debug, serde::Deserialize)]
 struct ExtraMcpServer {
     command: String,