phase2 amend: __ separator (Bedrock-safe) + post_sse error diagnostics

Phase 7 verify finding from TC #26 against :model cloud:
  HTTP 400 from openrouter→Amazon Bedrock:
  "tools.0.custom.name: String should match pattern
   '^[a-zA-Z0-9_-]{1,128}$'"

Anthropic via Bedrock validates tool names against that regex and
rejects dots. PHASE2 originally chose "." as the namespace separator
("boltzmann.list_dir"); OpenAI tolerated it, Bedrock does not.

Separator switched to "__" (two underscores) everywhere — internal
API matches on-wire shape, no transformation layer:

  - repl.lua:
    - tools_schema builds "alias__name"
    - dispatch_tool_call splits via "^(.-)__(.+)$" (non-greedy → leftmost __)
    - :mcp tool parser uses same split
    - :mcp tools formatter prints "alias__name"
    - HELP block shows <alias__name>
  - safety.lua confirm_tool_call: alias.* glob → alias__* glob
  - config.lua example block: keys rewritten
  - docs/PHASE2.md: amendment header added; §1, §2 row, §3 config.lua
    row, §5 wire-shape JSON examples, §6 auto_approve schema, §7
    meta-cmd table, §12 plan all updated. Original "." references
    preserved in commit history.

Constraint: aliases must not themselves contain "__" so the parse
stays unambiguous. Tool names from MCP servers may have underscores
freely.

Second fix bundled — uninformative broker error:
  Previously "broker error: transport: HTTP response code said error"
  Now      "broker error: transport: HTTP 400: {full body snippet}"

ffi/curl.lua M.post_sse changes:
  - FAILONERROR no longer set (was hiding the response body).
  - raw_body accumulator added alongside the SSE buffer; captures
    every byte regardless of SSE shape.
  - After perform, check status_code via curl_easy_getinfo. On >=400,
    return (nil, "HTTP <code>: <body[:400]>"). 2xx unchanged.
  - End-of-stream SSE flush only runs on 2xx (no false event on
    error bodies that aren't SSE-shaped).
  - Phase 1 callers reading just first return slot stay correct.

End-to-end verified:
  - :model cloud + tools=[boltzmann__read_file ...] +
    "Use boltzmann__read_file with path=/etc/hostname" →
    Claude emits tool_call with name="boltzmann__read_file",
    args='{"path": "/etc/hostname"}'. ok=true, transport clean.
  - Force-bad tool name "bad.name.with.dots" → err string carries
    the full bedrock 400 with the regex-pattern message visible.

TC #26 (sub-loop end-to-end) is now testable against cloud — the
error that blocked it is resolved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

config.lua

@@ -59,7 +59,10 @@ return {
     --         -- Each entry: alias = { url = "...", auth_token = "..." | auth_env = "..." }
     --         -- auth_token literal > auth_env env-var indirection > nil (no auth).
     --         -- Aliases become the namespace prefix on tool names sent to the model
-    --         -- ("<alias>.<tool>" — e.g. "boltzmann.list_dir").
+    --         -- ("<alias>__<tool>" — e.g. "boltzmann__list_dir"). The separator is
+    --         -- "__" (two underscores) because Anthropic via Bedrock validates tool
+    --         -- names against ^[a-zA-Z0-9_-]{1,128}$ — dots are rejected.
+    --         -- Aliases themselves must not contain "__".
     --         boltzmann = {
     --             url      = "http://boltzmann.fritz.box:8080/mcp",
     --             auth_env = "BOLTZMANN_MCP_TOKEN",
@@ -75,14 +78,14 @@ return {
     --
     --     -- Per-call confirm gate auto-approve policy.
     --     -- Key forms:
-    --     --   "<alias>.<tool>" — auto-approve one specific tool
-    --     --   "<alias>.*"      — auto-approve every tool on that server
+    --     --   "<alias>__<tool>" — auto-approve one specific tool
+    --     --   "<alias>__*"      — auto-approve every tool on that server
     --     -- Anything not matched falls back to the [y/N] prompt.
     --     auto_approve = {
-    --         ["boltzmann.read_file"]    = true,
-    --         ["boltzmann.list_dir"]     = true,
-    --         ["boltzmann.search_files"] = true,
-    --         ["hertz.*"]                = true,   -- trust the hub fully
+    --         ["boltzmann__read_file"]    = true,
+    --         ["boltzmann__list_dir"]     = true,
+    --         ["boltzmann__search_files"] = true,
+    --         ["hertz__*"]                = true,   -- trust the hub fully
     --     },
     --
     --     -- Tool-call sub-loop budget per ask_ai turn. Hitting the cap surfaces