Fix container execution and add debug tooling

Container fixes:
- Run as non-root 'node' user (required for --dangerously-skip-permissions)
- Add allowDangerouslySkipPermissions: true to SDK options
- Mount .env file to work around Apple Container -i env var bug
- Use --mount for readonly, -v for read-write (Apple Container quirk)
- Bump SDK to 0.2.29, zod to v4
- Install Claude Code CLI globally in container

Logging improvements:
- Write per-run logs to groups/{folder}/logs/container-*.log
- Add debug-level logging for mounts and container args

Documentation:
- Add /debug skill with comprehensive troubleshooting guide
- Update /setup skill with API key configuration step
- Update SPEC.md with container details, mount syntax, security notes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

container/agent-runner/src/index.ts

@@ -83,6 +83,7 @@ async function main(): Promise<void> {
           'mcp__gmail__*'
         ],
         permissionMode: 'bypassPermissions',
+        allowDangerouslySkipPermissions: true,
         settingSources: ['project'],
         mcpServers: {
           nanoclaw: ipcMcp,