fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (#15390) (thanks @aether-ai-agent)

src/gateway/tools-invoke-http.test.ts

@@ -233,6 +233,7 @@ describe("POST /tools/invoke", () => {
           tools: { allow: ["sessions_spawn"] },
         },
       ],
+      // oxlint-disable-next-line typescript/no-explicit-any
     } as any;
 
     const port = await getFreePort();
@@ -256,6 +257,7 @@ describe("POST /tools/invoke", () => {
   it("denies sessions_send via HTTP gateway", async () => {
     testState.agentsConfig = {
       list: [{ id: "main", tools: { allow: ["sessions_send"] } }],
+      // oxlint-disable-next-line typescript/no-explicit-any
     } as any;
 
     const port = await getFreePort();
@@ -275,6 +277,7 @@ describe("POST /tools/invoke", () => {
   it("denies gateway tool via HTTP", async () => {
     testState.agentsConfig = {
       list: [{ id: "main", tools: { allow: ["gateway"] } }],
+      // oxlint-disable-next-line typescript/no-explicit-any
     } as any;
 
     const port = await getFreePort();

src/gateway/tools-invoke-http.ts

@@ -315,9 +315,9 @@ export async function handleToolsInvokeHttpRequest(
 
   // Gateway HTTP-specific deny list — applies to ALL sessions via HTTP.
   const gatewayToolsCfg = cfg.gateway?.tools;
-  const gatewayDenyNames = DEFAULT_GATEWAY_HTTP_TOOL_DENY
-    .filter((name) => !gatewayToolsCfg?.allow?.includes(name))
-    .concat(Array.isArray(gatewayToolsCfg?.deny) ? gatewayToolsCfg.deny : []);
+  const gatewayDenyNames = DEFAULT_GATEWAY_HTTP_TOOL_DENY.filter(
+    (name) => !gatewayToolsCfg?.allow?.includes(name),
+  ).concat(Array.isArray(gatewayToolsCfg?.deny) ? gatewayToolsCfg.deny : []);
   const gatewayDenySet = new Set(gatewayDenyNames);
   const gatewayFiltered = subagentFiltered.filter((t) => !gatewayDenySet.has(t.name));