feat: make openspec-plan agent permissions fully explicit

[JAPACX]

Summary

The openspec-plan agent previously only declared edit permissions, leaving
all other tools (read, bash, glob, grep, etc.) as implicit — relying on
OpenCode's global defaults.

This made the agent's actual capabilities opaque and created a risk of unintended access.

This PR replaces the minimal permission block with a fully explicit declaration
covering every OpenCode permission key relevant to the agent.

Changes

src/config.ts — openSpecAgent.permission

read

• Allow all file reads
• Explicitly deny .env files (a spec agent has no need for secrets)

edit

• Base rule: "*": "deny" — nothing is editable by default
• Explicit allow only for spec targets: project.md, AGENTS.md,
  openspec/**, specs/**

bash

• Base rule: "*": "deny" — no arbitrary shell execution
• Allow read-only filesystem commands: grep, ls, cat, find,
  echo, pwd, which, env, printenv
• Allow git read-only: git status*, git log*, git diff*, git show*
  (useful for repo context without risk of mutations)

All other tools

Explicitly declared as allow or ask instead of relying on defaults:

• glob, grep, list, lsp — allow (read-only exploration)
• todoread, todowrite — allow (internal task tracking)
• webfetch, websearch, codesearch — allow (doc/reference lookup)
• task, skill, question — allow (subagents and user interaction)
• doom_loop, external_directory — ask (safety guards, unchanged)

Why last-match-wins matters here

OpenCode evaluates granular permission rules in order, with the last matching
rule winning. For edit and bash, the catch-all "*": "deny" is placed
first so that the specific allow rules after it correctly override it.

No functional change for spec files

The set of files the agent can edit is identical to before. This PR only makes
the full permission surface explicit and adds a deny baseline for everything
outside that set.

[JAPACX]

@Octane0411 This pr Closes https://github.com/Octane0411/opencode-plugin-openspec/issues/6