feat: preflight check for skill-required permissions vs user-level denies

[ryzizub]

Description

Skills declare required tool access via allowed-tools frontmatter (e.g. Bash(git push *) Bash(gh *) in skills/create-pr/SKILL.md). Per Claude Code permissions model, rules evaluate deny → ask → allow. Skill allowed-tools can only add permission — cannot override higher-scope deny.

Result: user with conflicting deny at user or project level starts skill, does partial work, fails mid-session. Session ends half-baked, context lost.

Add preflight check that validates current permission ruleset against invoked skill's allowed-tools before work begins, and surfaces conflicts with clear remediation message.

Requirements

• Detect conflicts between resolved permission ruleset (user + project + local scopes) and invoked skill's allowed-tools.
• Emit preflight error listing:
  • Each tool pattern skill needs
  • Which scope denies or asks for it
  • Remediation command or config path
• Run at skill entry, before any tool call that would trip deny.
• Apply across every skill declaring allowed-tools (create-pr, create-branch, review, build, hotfix, etc.).
• Alternative surface: document required permissions per skill in README or skill frontmatter rendering for self-audit.

Additional Context

• Permissions doc: https://code.claude.com/docs/en/permissions#manage-permissions