feat(884): persistent perm_rx lock-holder for Matrix bot

Before: handle_message.rs acquired services.perm_rx only while processing
one chat message and dropped it on chat_fut completion. The moment the
bot wasn't actively responding, prompt_permission auto-denied any spawned
coder bash call as "no interactive session" — making unattended coder
work impossible.

Now: a permission_listener task is spawned at bot startup and holds
perm_rx for the bot's lifetime. Permission requests are forwarded to
the first configured Matrix room, replies resolved by the existing
on_room_message handler via pending_perm_replies. Per-message acquire is
gone from handle_message.rs (chat_fut just awaits cleanly).

- New module: chat/transport/matrix/bot/permission_listener.rs.
- Wired into run_bot before BotContext construction; bot_sent_event_ids
  is hoisted out so the listener and the rest of the bot share it.
- handle_message.rs no longer touches perm_rx.
- diagnostics/permission.rs comment updated to reflect the new reality.
- Regression test asserts the listener forwards a PermissionForward to
  the target room and records the pending reply key — exactly the path
  that was broken when no chat_fut was in flight.

Discord/Slack/WhatsApp transports still acquire perm_rx per message
(commands.rs:368 / commands/llm.rs:83 / commands/llm.rs:82). They are
not the active transport in this deployment so their per-message acquire
remains dormant; the same listener pattern should be applied to them as
follow-up work in 884 phase 2.

server/src/chat/transport/matrix/bot/messages/handle_message.rs

@@ -2,13 +2,11 @@
 //! streams the assistant reply back to the room.
 
 use crate::chat::util::drain_complete_paragraphs;
-use crate::http::context::PermissionDecision;
 use crate::llm::providers::claude_code::{ClaudeCodeProvider, ClaudeCodeResult};
 use crate::slog;
 use matrix_sdk::ruma::OwnedRoomId;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, Ordering};
-use std::time::Duration;
 use tokio::sync::watch;
 
 use super::super::context::BotContext;
@@ -113,64 +111,10 @@ pub(in crate::chat::transport::matrix::bot) async fn handle_message(
     );
     tokio::pin!(chat_fut);
 
-    // Lock the permission receiver for the duration of this chat session.
-    // Permission requests from the MCP `prompt_permission` tool arrive here.
-    let mut perm_rx_guard = ctx.services.perm_rx.lock().await;
-
-    let result = loop {
-        tokio::select! {
-            r = &mut chat_fut => break r,
-
-            Some(perm_fwd) = perm_rx_guard.recv() => {
-                // Post the permission prompt to the room via the transport.
-                let prompt_msg = format!(
-                    "**Permission Request**\n\n\
-                     Tool: `{}`\n```json\n{}\n```\n\n\
-                     Reply **yes** to approve or **no** to deny.",
-                    perm_fwd.tool_name,
-                    serde_json::to_string_pretty(&perm_fwd.tool_input)
-                        .unwrap_or_else(|_| perm_fwd.tool_input.to_string()),
-                );
-                let html = markdown_to_html(&prompt_msg);
-                if let Ok(msg_id) = ctx.transport.send_message(&room_id_str, &prompt_msg, &html).await
-                    && let Ok(event_id) = msg_id.parse()
-                {
-                    sent_ids.lock().await.insert(event_id);
-                }
-
-                // Store the MCP oneshot sender so the event handler can
-                // resolve it when the user replies yes/no.
-                ctx.services.pending_perm_replies
-                    .lock()
-                    .await
-                    .insert(room_id.to_string(), perm_fwd.response_tx);
-
-                // Spawn a timeout task: auto-deny if the user does not respond.
-                let pending = Arc::clone(&ctx.services.pending_perm_replies);
-                let timeout_room_id = room_id.to_string();
-                let timeout_transport = Arc::clone(&ctx.transport);
-                let timeout_room_id_str = room_id_str.clone();
-                let timeout_sent_ids = Arc::clone(&ctx.bot_sent_event_ids);
-                let timeout_secs = ctx.services.permission_timeout_secs;
-                tokio::spawn(async move {
-                    tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
-                    if let Some(tx) = pending.lock().await.remove(&timeout_room_id) {
-                        let _ = tx.send(PermissionDecision::Deny);
-                        let msg = "Permission request timed out — denied (fail-closed).";
-                        let html = markdown_to_html(msg);
-                        if let Ok(msg_id) = timeout_transport
-                            .send_message(&timeout_room_id_str, msg, &html)
-                            .await
-                            && let Ok(event_id) = msg_id.parse()
-                        {
-                            timeout_sent_ids.lock().await.insert(event_id);
-                        }
-                    }
-                });
-            }
-        }
-    };
-    drop(perm_rx_guard);
+    // Permission requests are handled by the persistent permission_listener
+    // task spawned at bot startup (story 884) — they no longer route through
+    // per-message handlers. Just await chat_fut.
+    let result = (&mut chat_fut).await;
 
     // Flush any remaining text that didn't end with a paragraph boundary.
     let remaining = buffer.lock().unwrap().trim().to_string();