refactor(agent): unify chat loops and enrich Tool trait

[odysa]

Summary

• Collapse four near-identical agent loops (SimpleAgent, StreamingAgent, SubagentTool, PlanAgent) into two shared drivers: chat_loop (non-streaming) and stream_chat_loop (streaming).
• Enrich the Tool trait with metadata — is_read_only, is_concurrent_safe, is_destructive, summary, validate_input — and change Tool::call to return ToolResult { content, is_truncated } instead of String.
• Plan mode now picks visible tools via Tool::is_read_only() rather than a hardcoded ["bash","read","ask_user"] allowlist; plan_tool_names(...) is available when the read-only-ness depends on arguments.
• Bound every loop with QueryConfig { max_turns, max_result_chars }; UTF-8-safe truncation happens once in ToolSet::execute_calls.
• Split AgentEvent::ToolCall into ToolStart (summary) + ToolEnd (result preview) so UIs can render tool outputs.

Test plan

• cargo x solution-check passes (fmt + clippy + tests)
• cargo test -p mini-claw-code — all unit tests green
• cargo run -p mini-claw-code --example tui — manual smoke of ToolStart/ToolEnd rendering
• Plan-mode smoke: read-only tools visible, destructive tools blocked with a friendly error surfaced as tool output
• Sub-agent smoke: child agent honors QueryConfig::max_turns = 10 default

[odysa]

Test plan results

• cargo x solution-check — exit 0. Runs cargo fmt --check, cargo clippy -- -D warnings, and cargo test. All pass.
• cargo test -p mini-claw-code — 268 unit tests + 2 doctests, all green. (covered by the solution-check run above)
• TUI example — cargo check -p mini-claw-code --example tui compiles cleanly against the refactored AgentEvent::ToolStart / ToolEnd split (mini-claw-code/examples/tui.rs:146-162). Full interactive smoke (OpenRouter + TTY) not run from CI; leaving to the author for visual confirmation.
• Plan-mode smoke — covered by the existing test suite, all passing on this branch:
  • test_plan_agent_plan_with_read_tool — read-only tools visible during planning
  • test_plan_agent_plan_blocks_write_tool / test_plan_agent_plan_blocks_edit_tool — destructive tools blocked, error surfaced as a ToolResult::error the model can see
  • test_plan_agent_read_only_override — plan_tool_names(...) override works
  • test_plan_agent_full_plan_then_execute — plan→exit_plan→execute flow intact
• Sub-agent smoke — covered by:
  • test_subagent_builder_pattern — default QueryConfig::max_turns = 10 on SubagentTool
  • test_subagent_max_turns_exceeded — child bails with an error result (not a panic) when the bound is hit