fix(query): restrict AutoDream background agent

[BunsDev]

Motivation

• AutoDream spawned a background sub-agent that was pointed at the conversations transcript directory and ran with the full toolset, risking unprompted transcript disclosure and autonomous tool execution.
• The change narrows the background agent's capabilities and removes transcript disclosure to eliminate an unprompted local-data exfiltration vector.

Description

• Limit AutoDream background runs to a read-only tool allowlist by passing tools: ["Read","Glob","Grep"] when spawning the sub-agent.
• Replace explicit transcript-path and grep instructions in the consolidation prompt with a read-only prompt that forbids transcript access, shell/network commands, and file writes, and instructs the agent to only draft suggested memory-file edits for foreground approval.
• Reuse the pre-built, filtered agent_tools for background execution instead of reconstructing cc_tools::all_tools() inside the background task.
• Add a unit test that asserts the consolidation prompt no longer exposes transcript paths or grep instructions.

Testing

• Ran cargo test --package claurst-query auto_dream and the AutoDream unit tests passed (9 passed, 0 failed).
• Ran cargo check --package claurst-query and it completed successfully for the package.
• cargo check --workspace failed in this environment due to a missing system library required by alsa-sys (external to these changes).
• cargo clippy --package claurst-query --all-targets -- -D warnings and cargo fmt --all --check reported pre-existing workspace issues unrelated to the AutoDream/AgentTool changes.

---

Codex Task

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.