feat: conectar sistema centralizado de seguridad al launcher y runtime

- Migrar admin a security/user-groups.yaml (admins group)
- agents.New() ahora acepta acl.ACL pre-resuelta como parámetro;
  elimina construcción interna desde cfg.Security.Roles
- cmd/launcher: carga shellsecurity.Load("security/") al arranque;
  si falla, WARN + política vacía (open access). Para cada agente
  llama pksecurity.ResolveACL y pasa la ACL a agents.New()
- cmd/launcher/registry.go: stores secPolicy en launchDeps para
  que reload() también resuelva ACL centralmente
- shell/matrix/listener.go: elimina invite gating y allowlist check
  basados en AllowedUsers; el control de acceso lo hace el runtime
- internal/config/schema.go: depreca campos Roles y AllowedUsers
  (backward compat, no eliminados)
- agents/*/config.yaml: elimina bloques security.roles y allowed_users
- dev/feature_flags.json: activa centralized-security-groups (enabled: true)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cmd/launcher/main.go

@@ -26,9 +26,11 @@ import (
 	"github.com/enmanuel/agents/internal/config"
 	"github.com/enmanuel/agents/pkg/decision"
 	"github.com/enmanuel/agents/pkg/orchestration"
+	pksecurity "github.com/enmanuel/agents/pkg/security"
 	"github.com/enmanuel/agents/shell/bus"
 	agentlog "github.com/enmanuel/agents/shell/logger"
 	orchshell "github.com/enmanuel/agents/shell/orchestration"
+	shellsecurity "github.com/enmanuel/agents/shell/security"
 )
 
 // rulesRegistry maps agent IDs to their rule factories.
@@ -81,6 +83,19 @@ func main() {
 			ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 			defer stop()
 
+			// ── Load centralized security policy ──
+			secPolicy, secErr := shellsecurity.Load("security/")
+			if secErr != nil {
+				logger.Warn("security policy load failed, using empty policy (open access)", "err", secErr)
+				secPolicy = pksecurity.SecurityPolicy{}
+			} else {
+				logger.Info("security policy loaded",
+					"user_groups", len(secPolicy.UserGroups),
+					"agent_groups", len(secPolicy.AgentGroups),
+					"policies", len(secPolicy.Policies),
+				)
+			}
+
 			// ── Shared bus for inter-agent communication ──
 			agentBus := bus.New(logger)
 
@@ -95,11 +110,12 @@ func main() {
 
 			// ── Shared dependencies for agent registry ──
 			deps := &launchDeps{
-				agentBus:  agentBus,
-				orch:      orch,
-				logDir:    logDir,
-				logLevel:  lvl,
-				parentCtx: ctx,
+				agentBus:   agentBus,
+				orch:       orch,
+				logDir:     logDir,
+				logLevel:   lvl,
+				parentCtx:  ctx,
+				secPolicy:  secPolicy,
 			}
 			registry := newAgentRegistry(deps)
 
@@ -158,7 +174,14 @@ func main() {
 					agentCleanup = func() {}
 				}
 
-				a, err := agents.New(cfg, rules, agentLogger)
+				// Resolve centralized ACL for this agent
+				agentACL := pksecurity.ResolveACL(cfg.Agent.ID, deps.secPolicy)
+				agentLogger.Debug("resolved acl for agent",
+					"agent", cfg.Agent.ID,
+					"acl_empty", agentACL.Empty(),
+				)
+
+				a, err := agents.New(cfg, rules, agentACL, agentLogger)
 				if err != nil {
 					logger.Error("failed to create agent", "id", cfg.Agent.ID, "err", err)
 					agentCleanup()