feat: proper confirmation-resume flow + per-user tool policy

Fixes the broken confirmation gate where users had no way to approve
or deny a blocked tool call in the web UI.

Changes:
- orchestrator_engine.py: add OrchestrateCheckpoint dataclass, extract
  loop into _run_from_contents(), add resume() function
- openai_orchestrator.py: same treatment — _run_from_messages(), resume()
- routers/orchestrator.py: POST /{job_id}/confirm and /deny endpoints,
  separate _checkpoints store, _resume_job() + _finalize_job() helpers,
  "awaiting_confirmation" job status with pending_confirmation payload
- auth_utils.py: get_tool_policy() and save_tool_policy() helpers reading
  home/{user}/tool_policy.json (allow/deny lists)
- routers/orchestrator.py: loads tool_policy per user and passes
  confirm_allow/confirm_deny to both engines
- app.js: poll loop handles awaiting_confirmation — shows Confirm/Deny
  buttons inline, resumes polling after user action
- settings.html + settings.py: Tool Permissions section with allow/deny
  textareas, POST /settings/tool-policy route
- style.css: .confirm-gate, .confirm-btn, .deny-btn styles

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/routers/settings.py

@@ -18,7 +18,8 @@ import jwt
 from fastapi import APIRouter, Form, Request
 from fastapi.responses import HTMLResponse, RedirectResponse
 
-from auth_utils import COOKIE_NAME, decode_token, check_credentials, set_password, _read_auth, _write_auth, get_user_channels
+from auth_utils import COOKIE_NAME, decode_token, check_credentials, set_password, _read_auth, _write_auth, get_user_channels, get_tool_policy, save_tool_policy
+from tools import CONFIRM_REQUIRED
 from persona import list_user_personas
 from config import settings as app_settings
 
@@ -84,6 +85,15 @@ def _settings_page(username: str, personas: list[str], back_persona: str = "", s
     html = html.replace("{{ nc_notify_room }}", nc_room)
     html = html.replace("{{ gc_webhook }}", gc_webhook)
 
+    # Tool permission policy
+    policy = get_tool_policy(username)
+    tool_allow_text = _html.escape("\n".join(policy.get("allow", [])))
+    tool_deny_text  = _html.escape("\n".join(policy.get("deny", [])))
+    confirm_tools_list = _html.escape(", ".join(sorted(CONFIRM_REQUIRED)))
+    html = html.replace("{{ tool_allow }}", tool_allow_text)
+    html = html.replace("{{ tool_deny }}", tool_deny_text)
+    html = html.replace("{{ confirm_required_tools }}", confirm_tools_list)
+
     persona_items = "\n".join(
         f'''<li>
           <a href="/{username}/{p}" class="persona-link">{p}</a>
@@ -302,6 +312,27 @@ async def save_notifications(
                                        success="Notification settings saved."))
 
 
+@router.post("/settings/tool-policy", include_in_schema=False)
+async def save_tool_policy_route(
+    request: Request,
+    allow_list: str = Form(""),
+    deny_list: str = Form(""),
+):
+    username = _get_session_user(request)
+    if not username:
+        return RedirectResponse("/login", status_code=302)
+
+    personas = list_user_personas(username)
+    back_persona = _preferred_persona(request, username)
+
+    allow_tools = [ln.strip() for ln in allow_list.splitlines() if ln.strip()]
+    deny_tools  = [ln.strip() for ln in deny_list.splitlines() if ln.strip()]
+    save_tool_policy(username, {"allow": allow_tools, "deny": deny_tools})
+    logger.info("tool policy updated for %s (allow=%d deny=%d)", username, len(allow_tools), len(deny_tools))
+    return HTMLResponse(_settings_page(username, personas, back_persona,
+                                       success="Tool permission policy saved."))
+
+
 @router.post("/settings/email-allowlist", include_in_schema=False)
 async def save_email_allowlist(
     request: Request,