Problem

ShellExecutor still uses legacy blocked_commands and confirm_patterns fields. These should map to the new PermissionPolicy system.

Solution

• Convert blocked_commands entries to { pattern, action: Deny } rules
• Convert confirm_patterns entries to { pattern, action: Ask } rules
• Keep old config fields as backward-compatible aliases (deserialized into PermissionPolicy)
• Replace is_dangerous() + should_confirm() checks in ShellExecutor with single PermissionPolicy::check(tool_id, input) call

Acceptance Criteria

• Old blocked_commands config auto-converted to deny rules
• Old confirm_patterns config auto-converted to ask rules
• ShellExecutor uses PermissionPolicy for all permission checks
• Backward compatibility: existing configs work without changes
• Tests for migration logic

Part of #247 (M19 Phase C)