feat: add --readonly flag for worker sandboxes (gt-ymo)

Add a --readonly flag that blocks all write operations, allowing workers
to read beads state without modifying it. Workers can use:
- bd show, bd list, bd ready (read operations)

Workers cannot use:
- bd create, bd update, bd close, bd sync, etc. (write operations)

The flag can be set via:
- --readonly flag on command line
- BD_READONLY=true environment variable
- readonly: true in config file

This enables swarm workers to see their assigned work from a static
snapshot of the beads database without accidentally modifying it.

Commands protected by readonly mode:
- create, update, close, delete, edit
- sync, import, reopen
- comment add, dep add/remove, label add/remove
- repair-deps, compact, migrate, migrate-hash-ids, migrate-issues
- rename-prefix, validate --fix-all, duplicates --auto-merge
- epic close-eligible, jira sync

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

cmd/bd/errors.go

@@ -51,3 +51,21 @@ func FatalErrorWithHint(message, hint string) {
 func WarnError(format string, args ...interface{}) {
 	fmt.Fprintf(os.Stderr, "Warning: "+format+"\n", args...)
 }
+
+// CheckReadonly exits with an error if readonly mode is enabled.
+// Call this at the start of write commands (create, update, close, delete, sync, etc.).
+// Used by worker sandboxes that should only read beads, not modify them.
+//
+// Example:
+//
+//	var createCmd = &cobra.Command{
+//	    Run: func(cmd *cobra.Command, args []string) {
+//	        CheckReadonly("create")
+//	        // ... rest of command
+//	    },
+//	}
+func CheckReadonly(operation string) {
+	if readonlyMode {
+		FatalError("operation '%s' is not allowed in read-only mode", operation)
+	}
+}