feat(config): expose hot-reload API for GUI integration

[gaord]

Summary

Adds HTTP endpoints and protocol plumbing so GUI clients (CodeWhale VSCode) can read, persist, and hot-reload TUI configuration without restarting the engine. This unblocks the GUI /config panel — saving a setting in the GUI now takes effect on the next prompt turn in the running TUI engine.

New endpoints (runtime API, --port)

• GET /v1/config returns the full GUI-facing config snapshot (model, provider, approval mode, subagents, MCP path, settings-backed keys, …)
• POST /v1/config/set persists a single key to config.toml or settings.toml without mutating the in-memory state — the caller POSTs /v1/config/reload to apply
• POST /v1/config/reload re-reads the on-disk config, swaps the live Arc<RwLock<Config>>, and syncs running engines via Op::SetModel / Op::SetCompaction / Op::SetSubagentRuntimeConfig

New app-server protocol

• AppRequest::ConfigReload + app/config/reload route — mirrors the HTTP reload over stdio
• Runtime::update_config / Runtime::reload_config_and_policy push fresh snapshots into the headless Runtime on every set/unset

Fixes folded in

• --config <path> preserved end-to-end: RuntimeApiState.config_path flows from CLI → Config::load → all config_persistence::persist_* calls. Previously a custom --config path was lost on reload/persist, causing GUI edits to silently target the default discovery path instead of the file the server booted from.
• subagents_enabled and subagents_max_depth persist correctly via persist_subagents_bool_key / persist_subagents_integer_key. Previously these two keys were rejected as unknown.
• max_history returns 400 for non-integer input instead of silently falling back to 100 via unwrap_or.
• RuntimeThreadManager.config moved from Config to Arc<RwLock<Config>> so reloads are visible to active threads. All 3 read sites go through read_config() or a snapshot clone, avoiding held guards across await points.

Testing

• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --all-features (no new warnings; 2 pre-existing &*config deref warnings fixed)
• cargo test --workspace --all-features (78 runtime_api::tests + 45 app-server tests pass)

New tests (14 in runtime_api::tests)

• set_config validates input for max_history, subagents_enabled, subagents_max_depth (rejects non-integer / non-bool with 400)
• set_config rejects unknown keys with 400
• set_config with persist:false is a true dry run — disk file unchanged
• set_config with --config <path> writes to the specified file (not default discovery)
• set_config for subagents_enabled=false and subagents_max_depth below ceiling persist correctly
• set_config response contains all expected fields (key/value/persisted/requires_reload)
• reload_config returns success, refreshes mcp_config_path, reads from config_path (not default), returns 500 on malformed TOML
• reload_config applies multiple accumulated persisted keys in one shot (model + max_depth + enabled)

Checklist

• Updated docs or comments as needed (doc comments on Runtime::update_config / reload_config_and_policy explain what is and isn't refreshed)
• Added or updated tests where relevant (14 new tests)
• Verified TUI behavior manually if UI changes — N/A, no TUI UI changes; verified via GUI side (separate GUI PR)
• Harvested/co-authored credit uses a GitHub numeric noreply address — N/A, no co-authors