fix(companion): absolute node path for MCP spawn + restrict to mcp tools

claude resolves the MCP server command against the child env (no PATH), so a
bare 'node' failed to spawn (status:failed). Use process.execPath. Also pass
--tools to drop claude's built-ins (Bash/Read/Write/…) — companion gets only
the four mcp__void__* tools.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

lib/ai/claude_cli.js

@@ -58,6 +58,7 @@ import { createInterface } from 'readline';
  * @param {string[]} [opts.allowedTools]   Tool names to allow (--allowedTools multi-value)
  * @param {function} [opts.onEvent]        Called for each normalized event
  * @param {string}   [opts.claudeExe]      Path or name of claude binary (default: CLAUDE_EXE env or 'claude')
+ * @param {string[]} [opts.tools]          Exclusive available-tools allowlist (--tools); removes built-ins
  * @param {string}   [opts.home]           If set, overrides HOME in child env (for service-user creds)
  * @param {string}   [opts.cwd]            Working directory for the child process
  * @param {number}   [opts.timeoutMs]      Milliseconds before SIGTERM (default: 600000)
@@ -71,6 +72,7 @@ export async function runClaudeTurn(opts) {
     userText,
     mcpConfigPath,
     allowedTools = [],
+    tools = [],
     onEvent,
     claudeExe = process.env.CLAUDE_EXE || 'claude',
     home = process.env.VOID_CLAUDE_HOME,
@@ -94,6 +96,12 @@ export async function runClaudeTurn(opts) {
     args.push('--mcp-config', mcpConfigPath, '--strict-mcp-config');
   }
 
+  if (tools.length > 0) {
+    // --tools is the EXCLUSIVE availability allowlist: restricts the session to
+    // exactly these tools, removing claude's built-ins (Bash/Read/Write/Grep/…).
+    args.push('--tools', ...tools);
+  }
+
   if (allowedTools.length > 0) {
     // --allowedTools accepts space-separated list as multiple values under one flag
     args.push('--allowedTools', ...allowedTools);