[DAP] Remember command/tool approvals: IDE/CLI in sessions

Problem to Solve

When using Duo Chat or Flows in the IDE or CLI, repeated tool approvals create friction. Tasks involving many tool calls (e.g., grep, find, test runs) require clicking "Approve tool" repeatedly for the same operation.

Proposal

Add session-based tool approval: approve a tool once and remember that approval for the current session.

User Experience:

• "Approve" - Execute once (existing behavior)
• "Approve for Session" - Execute and remember for this session

Key Design Decisions:

• Approval matching: tool name + arguments (not just tool name)
• Storage: Client-side YAML files (.gitlab/.tool-approvals/{workflow-id}.yaml)
• Scope: Works for any tool requiring approval
• Security: Each unique tool+args combination requires explicit approval

Implementation:

• New: NativeToolApprovalController, YamlNativeToolSessionApprovalStore
• Modified: UI layer, workflow store, workflow controller, node executor, agent CLI
• Backend: Receives approval info for logging/audit; client is source of truth

YAML Format (human-editable):

workflowId: "159"
version: "1.0"
approvals:
  - toolName: run_command
    approvedCalls:
      - args: {program: "npm", args: "install"}
        approvedAt: "2026-01-21T09:14:47Z"

Backwards compatible with existing backends.