feat: pkg/security/ — tipos puros y resolución ACL (issue 0024a)

Crea el paquete puro pkg/security/ con los tipos base del sistema
centralizado de permisos y la función ResolveACL.

Cambios:
- pkg/acl/config.go: añade FromRoles([]Role) ACL como constructor directo
- pkg/security/groups.go: UserGroup, AgentGroup
- pkg/security/policy.go: Permission, AgentPolicy, SecurityPolicy
- pkg/security/resolver.go: ResolveACL(agentID, SecurityPolicy) → acl.ACL
  * soporte wildcard de agente ("*") y de usuario ("*")
  * políticas acumulativas: unión de permisos entre grupos
  * referencia directa por agentID sin definir grupo
- pkg/security/security_test.go: 7 tests cubriendo todos los casos del issue

El paquete es pure core: cero I/O, cero side effects.
Mergeado con feature flag centralized-security-groups = false (no wired).

pkg/security/policy.go

@@ -0,0 +1,23 @@
+package security
+
+// Permission grants a set of actions to all members of a UserGroup.
+type Permission struct {
+	UserGroup string
+	Actions   []string
+}
+
+// AgentPolicy assigns a set of permissions to all agents in an AgentGroup.
+// AgentGroup may be a group name defined in SecurityPolicy.AgentGroups,
+// or a direct agent ID (without defining a group).
+type AgentPolicy struct {
+	AgentGroup  string
+	Permissions []Permission
+}
+
+// SecurityPolicy is the top-level pure data structure that describes
+// who can do what across which agents.
+type SecurityPolicy struct {
+	UserGroups  []UserGroup
+	AgentGroups []AgentGroup
+	Policies    []AgentPolicy
+}