Gemini permission and sandbox lockdown layer

[Ryan-Atkinson87]

The inner provider permission layer for Gemini: configure approval modes and seatbelt/sandbox profiles (and read-only Plan Mode where used) to match the strict-deny posture and explicit prohibitions enforced for Claude (#18).

Spec §3.2 (Gemini permission/lockdown column), §7.4 (provider permission layer — inner), §7.5 (explicit prohibitions).

Acceptance criteria

• Gemini approval mode and seatbelt/sandbox profile set deny-by-default; only the Squid egress allowlist (§7.2) is reachable.
• Read-only Plan Mode is used for non-writing stages where applicable (§3.2).
• Approval/sandbox config denies the same prohibited operations enforced for Claude (§7.5): no force-push, no protected-branch writes, no filesystem access outside the bound mount.
• Lockdown is applied by the adapter on every run_session — not opt-in.
• Fails closed: a lockdown misconfiguration blocks the session rather than running it unsandboxed.
• Tests assert the lockdown flags are present on every invocation and that a prohibited operation is rejected.

Depends on: #72