fix: warn on invalid auto-approve-risk header; make config required in write tools

[sunilgattupalle]

Summary

Follow-up to #204 — two review nits that were in a commit on the PR branch but didn't make it into the merge.

• session-headers.ts: log a warn when X-Harness-Auto-Approve-Risk contains an unrecognized value (e.g. "read", typos) instead of silently falling back to the deployment default. Prevents confusing silent behavior where a misconfigured client gets a different security posture than intended.
• Write tool registrars (harness_create, harness_update, harness_delete, harness_execute): change config?: Config → config: Config. The parameter is always passed by registerAllTools — making it optional was a type lie that would let future callers omit it and silently use the process-global auto-approve default instead of the session value.

Test plan

• pnpm typecheck passes
• pnpm test passes
• Sending an invalid X-Harness-Auto-Approve-Risk: read header in an HTTP session logs a warning and uses the deployment default

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}