feat(phase2-E): multi-provider routing via secutools delegation

Adds optional delegation of agent-queue tasks to the SecuAAS secutools
AI platform (GPU / Gemini / Claude API) instead of dispatching to a
local Claude Code tmux session. Per-task opt-in via YAML frontmatter
fields preferred_ai, allow_delegation, complexity_hint — absence keeps
the Phase 1 behaviour exactly (zero breaking change).

Go side:
- internal/secutools: HTTP client with exponential-backoff retries
  (SubmitJob/GetJob/WaitForResult), DecideProvider map adapter for CLI
  use, table tests.
- internal/router: struct-typed Decide() with strict precedence
  (needs_claude_code > preferred_ai=claude-code > allow_delegation=false
  > preferred_ai > fail-safe local on unknown).
- internal/delegation: Manager submits jobs, writes .md.delegated
  markers for on-restart recovery, runs a periodic reaper that moves
  completed jobs into done/ with provider/cost footer and failed jobs
  into failed/.
- internal/dispatcher: WithDelegation() opt-in, routeTask hook before
  findFreeSession, skips .md.delegated in assignNextTask.
- internal/api: /api/delegated/status (active jobs + counters),
  /watchdog/status extended with delegation counters.
- cmd/ccl-delegate: small CLI exposing submit/get/result/decide so the
  bash dispatcher can call the same contract without duplicating logic.
- cmd/claude-failover: delegation wired opt-in via SECUTOOLS_API_KEY.

Tests:
- 29+ new unit tests across router, secutools, delegation, dispatcher,
  api packages. go test -race -count=1 clean.
- tests/phase2-E-integration.sh: bash end-to-end against a Python
  stdlib mock HTTP server, exercising the dev-management scripts.

Forward-compat with watchdog (Phase 1 B1 already ignores
state=delegated_to_secutools) so delegated tasks aren't flagged stale.

WORK_IN_PROGRESS.md

@@ -1,12 +1,30 @@
 # Travaux en Cours - claude-failover
 
 ## Dernière mise à jour
-2026-04-16 19:00:00
+2026-04-17 02:20:00
 
 ## Version Actuelle
-0.3.5 (en cours de progression vers 0.4.0)
+0.4.0 — Phase 2 chantier E livré (multi-provider routing + bash wiring).
 
-## Demande Actuelle
+## Demande en cours
+Aucune demande active. Branche `feat/phase2-E-multi-provider-routing`
+prête à push (en attente de validation utilisateur).
+
+## Phase 2 / Chantier E — Statut
+- [x] router (decide tree + 8 tests)
+- [x] secutools client (HTTP + 5 tests + 2 retry tests)
+- [x] secutools/routing.go DecideProvider(map) + 14 table tests
+- [x] delegation manager (submit + reaper + LoadFromDisk + 7 tests)
+- [x] dispatcher integration (routeTask + dispatchProject branch + 5 tests)
+- [x] API endpoints `/api/delegated/status` + `/watchdog/status` enrichi
+- [x] main.go opt-in via `SECUTOOLS_API_KEY`
+- [x] `cmd/ccl-delegate` CLI Go pour bash wrapper
+- [x] tests/phase2-E-integration.sh bout-en-bout avec mock Python
+- [x] tests `-race` clean
+- [ ] smoke test E2E avec vraie API secutools (à faire après push)
+- [ ] dashboard MCP `Secuaas:orchestrator` consommer `/api/delegated/status`
+
+## Demande Précédente
 **Phase 1 / Chantier A — Failover robuste** (spec dans `ccl-platform/phases/phase1/A-failover.md`).
 Rendre le failover compte1 ↔ compte2 déterministe en intégrant dans le code les fixes manuels
 (symlinks partagés), en ajoutant un registre UUID fiable, et en durcissant tmux send-keys.