feat(agent-host): gate inbound filesystem RPCs with a permission service (#314194)

* feat(agent-host): gate inbound filesystem RPCs with a permission service

Reverse `resource{Read,List,Write,Delete,Move}` from remote agent hosts
were routed straight to `IFileService` with no authorization. Add a
permission service that gates each reverse RPC, returns typed
`PermissionDenied` with `data.request`, handles negotiation via the new
`resourceRequest` reverse RPC, and surfaces a Deny / Allow / Always Allow
prompt above the chat input.

URIs are canonicalized through `IFileService.realpath` before comparison
so `..` and symlinks can't escape grants. Implicit read grants are
auto-registered for customization URIs the client sends to the host, so
plugin sync remains friction-free. Always-Allow grants persist into a
new user setting, `chat.agentHost.localFilePermissions`.

* comments and tests