Harden worker instruction answers

[pmbstyle]

Motivation

• Fix an authorization bypass where a worker with child-spawn tools could answer/resume an unrelated paused worker via answer_worker_instruction and runtime.answer_instruction without lineage checks.
• Limit worker-originated instruction answers so only the target worker's direct parent can resume it and record denied attempts for auditability.

Description

• Add an optional answerer_worker_id parameter to WorkerRuntime.answer_instruction and perform a check that the provided answerer is the target worker's parent_worker_id, returning false and auditing when the check fails.
• Update the answer_worker_instruction tool to derive the caller worker id from the tool context, reject non-parent callers, and pass the verified answerer_worker_id into the runtime call.
• Add helper functions _answerer_worker_id and _is_direct_child_worker in the worker management tool and include the answerer id in successful-answer audits.
• Add regression tests in tests/test_worker_suspend_resume.py covering refused cross-parent answers and successful direct-parent answers.

Testing

• Ran uv run ruff check src/octopal/runtime/workers/runtime.py src/octopal/tools/workers/management.py tests/test_worker_suspend_resume.py which passed.
• Ran targeted unit tests with PYTHONPATH=src:.venv/lib/python3.14/site-packages python -m pytest tests/test_worker_suspend_resume.py tests/test_agent_loop_improvements.py -q and the test suites passed.
• Ran formatting checks with uv run black --check tests/test_worker_suspend_resume.py which succeeded; dev dependency installation (uv sync --extra dev) had transient index fetch failures but did not affect running the targeted tests that passed.

---

Codex Task