fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)

Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:

- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval

Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
  stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
  repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
  for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
  token after sourcing env.sh (gardener, planner, supervisor, predictor,
  vault, action)
- .env.example: documents all per-agent token fields

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

planner/planner-run.sh

@@ -18,6 +18,8 @@ FACTORY_ROOT="$(dirname "$SCRIPT_DIR")"
 export PROJECT_TOML="${1:-$FACTORY_ROOT/projects/disinto.toml}"
 # shellcheck source=../lib/env.sh
 source "$FACTORY_ROOT/lib/env.sh"
+# Use planner-bot's own Forgejo identity (#747)
+FORGE_TOKEN="${FORGE_PLANNER_TOKEN:-${FORGE_TOKEN}}"
 # shellcheck source=../lib/agent-session.sh
 source "$FACTORY_ROOT/lib/agent-session.sh"
 # shellcheck source=../lib/formula-session.sh