refactor(security): unify gateway scope authorization flows

src/agents/tools/common.ts

@@ -19,6 +19,8 @@ export type ActionGate<T extends Record<string, boolean | undefined>> = (
   defaultValue?: boolean,
 ) => boolean;
 
+export const OWNER_ONLY_TOOL_ERROR = "Tool restricted to owner senders.";
+
 export class ToolInputError extends Error {
   readonly status = 400;
 
@@ -208,6 +210,12 @@ export function jsonResult(payload: unknown): AgentToolResult<unknown> {
   };
 }
 
+export function assertOwnerSender(senderIsOwner?: boolean): void {
+  if (senderIsOwner === false) {
+    throw new Error(OWNER_ONLY_TOOL_ERROR);
+  }
+}
+
 export async function imageResult(params: {
   label: string;
   path: string;