Persist and expose agent access grants for non-user audiences

[chubes4]

Problem

Data Machine exposes its agent access table through Agents API, but the current model is keyed by WordPress user IDs. That means Data Machine can grant viewer, operator, and admin access to logged-in users, but cannot grant selected agents to a non-user audience such as public visitors, proxy-authenticated org members, or a trusted frontend runtime.

Concrete scenario

A WP Cloud site can be private/proxied at the edge. Requests reaching WordPress represent an internal audience, but the visitors are not logged into WordPress. Frontend Agent Chat currently cannot list or operate brain agents for that audience because Data Machine has no audience-grant primitive.

Proposed shape

• Add an explicit audience/principal grant model alongside user grants.
• Expose those grants through Data Machine's WP_Agent_Access_Store adapter once Agents API supports audience principals.
• Provide CLI/ability surfaces for granting selected agents to audiences, e.g. audience:public or audience:automattician.
• Keep existing user grants and ownership semantics intact.

Acceptance criteria

• Data Machine can persist an operator grant for a named audience and a specific agent.
• Agents API access listing/checking can resolve those grants via Data Machine's adapter.
• Existing datamachine_agent_access user grants continue to work.
• The design avoids downstream bypass filters for frontend brain chat.

Related upstream need

Automattic/agents-api needs a generic non-user/audience principal and access-store contract for this to be clean.