feat(qw4): hook safety_checks_provider + extension /replay/resume avec acquittements

replay_state enrichi de safety_checks, checks_acknowledged, pause_reason,
pause_payload (audit trail).

Branche supervisée pause_for_human :
- appel build_pause_payload() avant bascule paused_need_help
- log [BUS] lea:safety_checks_generated (count, sources)
- fallback safe sur exception (pause sans checks plutôt que crash)
- déclenchement si safety_level/safety_checks déclarés OU execution_mode != autonomous
- sinon comportement legacy (skip silencieux)

POST /replay/resume :
- accepte body { acknowledged_check_ids: [...] }
- vérifie tous les checks required acquittés, sinon 400 required_checks_missing
- stocke checks_acknowledged comme audit trail
- nettoie safety_checks/pause_payload après reprise

Proxy VWB /api/v3/replay/resume → streaming /replay/{id}/resume (forward bearer
token + acknowledged_check_ids).

Backward 100% : workflows sans safety_checks → resume sans acquittement requis.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

agent_v0/server_v1/replay_engine.py

@@ -1384,6 +1384,11 @@ def _create_replay_state(
         # QW2 — Anneaux d'historique pour LoopDetector (5 derniers max)
         "_screenshot_history": [],   # images PIL des N derniers heartbeats (LoopDetector embed à chaque tick)
         "_action_history": [],       # N dernières actions exécutées (signature)
+        # QW4 — Safety checks (hybride déclaratif + LLM contextuel) et audit acquittements
+        "safety_checks": [],            # liste produite par SafetyChecksProvider
+        "checks_acknowledged": [],      # ids acquittés via /replay/resume (audit trail)
+        "pause_reason": "",             # "loop_detected" | "" pour V1
+        "pause_payload": None,          # payload complet pour debug/audit
     }