feat(config): add tools.alsoAllow additive allowlist

src/gateway/tools-invoke-http.ts

@@ -130,9 +130,22 @@ export async function handleToolsInvokeHttpRequest(
     agentProviderPolicy,
     profile,
     providerProfile,
+    profileAlsoAllow,
+    providerProfileAlsoAllow,
   } = resolveEffectiveToolPolicy({ config: cfg, sessionKey });
   const profilePolicy = resolveToolProfilePolicy(profile);
   const providerProfilePolicy = resolveToolProfilePolicy(providerProfile);
+
+  const mergeAlsoAllow = (policy: typeof profilePolicy, alsoAllow?: string[]) => {
+    if (!policy?.allow || !Array.isArray(alsoAllow) || alsoAllow.length === 0) return policy;
+    return { ...policy, allow: Array.from(new Set([...policy.allow, ...alsoAllow])) };
+  };
+
+  const profilePolicyWithAlsoAllow = mergeAlsoAllow(profilePolicy, profileAlsoAllow);
+  const providerProfilePolicyWithAlsoAllow = mergeAlsoAllow(
+    providerProfilePolicy,
+    providerProfileAlsoAllow,
+  );
   const groupPolicy = resolveGroupToolPolicy({
     config: cfg,
     sessionKey,
@@ -183,11 +196,11 @@ export async function handleToolsInvokeHttpRequest(
     return expandPolicyWithPluginGroups(resolved.policy, pluginGroups);
   };
   const profilePolicyExpanded = resolvePolicy(
-    profilePolicy,
+    profilePolicyWithAlsoAllow,
     profile ? `tools.profile (${profile})` : "tools.profile",
   );
   const providerProfileExpanded = resolvePolicy(
-    providerProfilePolicy,
+    providerProfilePolicyWithAlsoAllow,
     providerProfile ? `tools.byProvider.profile (${providerProfile})` : "tools.byProvider.profile",
   );
   const globalPolicyExpanded = resolvePolicy(globalPolicy, "tools.allow");