Problem

Shell executor uses flat regex blocklist (blocked_commands) and confirm_patterns for permission control. No per-tool granularity, no allow/ask/deny semantics, no pattern ordering.

Solution

Create crates/zeph-tools/src/permissions.rs:

pub enum PermissionAction { Allow, Ask, Deny }

pub struct PermissionRule {
    pub pattern: String,  // glob pattern
    pub action: PermissionAction,
}

pub struct PermissionPolicy {
    pub rules: HashMap<String, Vec<PermissionRule>>,  // tool_id -> rules
}

First matching rule wins (ordered evaluation). Default fallback: Ask.

Add [tools.permissions] config section:

[tools.permissions]
bash = [
  { pattern = "git *", action = "allow" },
  { pattern = "cargo *", action = "allow" },
  { pattern = "rm -rf *", action = "deny" },
  { pattern = "*", action = "ask" },
]

Acceptance Criteria

• PermissionPolicy struct with glob-pattern matching per tool
• Three actions: allow (silent), ask (confirm), deny (block with message)
• Ordered rule evaluation (first match wins)
• Config deserialization from TOML
• Unit tests for pattern matching and rule ordering

Part of #247 (M19 Phase C)