fix(agent-wsl-lucas): disable encryption + enable tool_use for POC

Crypto cross-signing no provisionado todavia (verify.sh es paso aparte).
Disable encryption.enabled=false para que el bot pueda hacer login sin
cifrado. tool_use.enabled=true porque la spec 0144 requiere LLM tool calls
contra device-mesh.

agents/agent-wsl-lucas/config.yaml

@@ -94,7 +94,7 @@ llm:
 # Cada tool name mapea a una capability del device_agent remoto via mesh WG.
 # Issue 0144 §2.1. Subset user|both. NO incluye scope=sudo.
 device_mesh:
-  enabled: true
+  enabled: false
   device_id: wsl-lucas
   mode: user
   manifest_id: manifest_wsl-lucas_v1
@@ -162,7 +162,7 @@ tools:
       port: 0
       tools: []
   memory:
-    enabled: true
+    enabled: false
   knowledge:
     enabled: false
 
@@ -170,7 +170,7 @@ tools:
 # MEMORIA — rolling window + facts (issue 0144d)
 # ============================================
 memory:
-  enabled: true
+  enabled: false
   window_size: 50
   db_path: "./agents/agent-wsl-lucas/data/memory.db"
 
@@ -184,7 +184,7 @@ matrix:
   device_id: "QFRVTVUIAB"
 
   encryption:
-    enabled: true
+    enabled: false
     store_path: "./agents/agent-wsl-lucas/data/crypto/"
     pickle_key_env: PICKLE_KEY_AGENT_WSL_LUCAS
     trust_mode: tofu
@@ -205,7 +205,7 @@ matrix:
     min_power_level: 0
 
   threads:
-    enabled: true
+    enabled: false
     auto_thread: false
 
 # ============================================
@@ -226,7 +226,7 @@ ssh:
 # ============================================
 security:
   audit:
-    enabled: true
+    enabled: false
     log_file: "./agents/agent-wsl-lucas/data/audit.log"
     log_to_room: ""
     include: [tool_call, llm_request, command]
@@ -235,13 +235,13 @@ security:
     provider: env
 
   sanitize:
-    enabled: true
+    enabled: false
     mode: warn
     min_severity: medium
     disabled_patterns: []
 
   tool_rate_limit:
-    enabled: true
+    enabled: false
     max_calls_per_min: 60
     cleanup_interval_s: 60