fix: align security_settings with permission_mode + add dependency tests

- Fix settings inconsistency in ExpandChatSession: security_settings
  now uses "bypassPermissions" to match permission_mode parameter
- Add comprehensive tests for dependency resolver (12 tests):
  - Cycle detection in compute_scheduling_scores (critical fix from PR #124)
  - Self-reference handling
  - Diamond dependency patterns
  - would_create_circular_dependency validation
  - Dependency satisfaction checks

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

server/services/expand_chat_session.py

@@ -151,10 +151,14 @@ class ExpandChatSession:
             return
 
         # Create temporary security settings file (unique per session to avoid conflicts)
+        # Note: permission_mode="bypassPermissions" is safe here because:
+        # 1. Only Read/Glob file tools are allowed (no Write/Edit)
+        # 2. MCP tools are restricted to feature creation only
+        # 3. No Bash access - cannot execute arbitrary commands
         security_settings = {
             "sandbox": {"enabled": True},
             "permissions": {
-                "defaultMode": "acceptEdits",
+                "defaultMode": "bypassPermissions",
                 "allow": [
                     "Read(./**)",
                     "Glob(./**)",