Add accessLevel option to agent submodule

Summary

Add an `accessLevel` option to the agent submodule in `nix/modules/flake/agent-roster.nix` to express GitLab permission levels per agent.

Motivation

needypants is defined as read-only (Reporter access — can comment but not push). The current 5-section prompt type has no mechanism to express permission levels. This was identified by @nastypants and @fancypants during the roster expansion review.

Specification

Add to the agent submodule options:

```nix accessLevel = lib.mkOption { type = lib.types.enum [ "reporter" "developer" "maintainer" ]; default = "developer"; description = "GitLab access level for the agent. Controls repository permissions."; }; ```

This does not affect PROMPT.md generation — it is metadata for the provisioning layer (Phase 2 deployment module) to set the correct GitLab project membership level.

Acceptance Criteria

`accessLevel` option added to agent submodule with enum type
Default value is `"developer"`
Validation: needypants must be `"reporter"` (enforced via module assertion)
@nastypants QC approved
@fancypants theoretical review (option fits the product type cleanly)

Parent: #3 Roster expansion
Module spec: #2 (closed)

Add accessLevel option to agent submodule

Summary

Motivation

Specification

Acceptance Criteria

Related