Consolidate redundant Plan Mode and Read-Only policy rules

[jerop]

The current policy configuration duplicates many "safe" tool definitions (like read_file, glob, and grep_search) across both read-only.toml and plan.toml. This duplication exists because Plan Mode uses a high-priority catch-all deny (60) that overrides the default safe tool allows (50).

We need to consolidate safe tool management by leveraging the priority system to allow safe tools to "punch through" the Plan Mode boundary naturally. Thanks to @abhipatel12 for this suggestion!

Details

• Consolidation: Unify all strictly safe read-only, research, and tracker tools into read-only.toml using array syntax at priority 50.
• Plan Mode Optimization: Lower the Plan Mode catch-all deny priority to 40 in plan.toml. This allows priority 50 safe tools to remain functional during planning without explicit re-listing.
• Priority Calibration: Adjust PRIORITY_SUBAGENT_TOOL to 1.03 (priority 30) to ensure unknown subagents (like the browser agent) are correctly blocked by Plan Mode's priority 40 deny rule, while remaining above directive write tools (priority 10).
• Tracker Rules Cleanup: Integrate rules in tracker.toml into the central safe tier, and delete the file.
• Scope Preservation: Retained explicit re-allows for interactive tools (ask_user, web_fetch) in plan.toml at priority 50, keeping them out of the strictly non-modifying read-only.toml.

Impact

• Maintainability: Centralizes safe tool definitions in one location, making it easier to update them.
• Clarity: Reduces the "noise" in plan.toml, making it easier to see plan-specific overrides (like plan file modification rules).
• Consistency: Standardizes the priority hierarchy across default policy files.