docs(acp): align approval policy wording

docs/cli/acp.md

@@ -100,7 +100,7 @@ Permission model (client debug mode):
 
 - Auto-approval is allowlist-based and only applies to trusted core tool IDs.
 - `read` auto-approval is scoped to the current working directory (`--cwd` when set).
-- Unknown/non-core tool names, out-of-scope reads, and dangerous tools always require explicit prompt approval.
+- ACP only auto-approves narrow readonly classes: scoped `read` calls under the active cwd plus readonly search tools (`search`, `web_search`, `memory_search`). Unknown/non-core tools, out-of-scope reads, exec-capable tools, control-plane tools, mutating tools, and interactive flows always require explicit prompt approval.
 - Server-provided `toolCall.kind` is treated as untrusted metadata (not an authorization source).
 
 ## How to use this

src/security/dangerous-tools.ts

@@ -1,5 +1,5 @@
 // Shared tool-risk constants.
-// Keep these centralized so gateway HTTP restrictions, security audits, and ACP prompts don't drift.
+// Keep these centralized so gateway HTTP restrictions and security audits don't drift.
 
 /**
  * Tools denied via Gateway HTTP `POST /tools/invoke` by default.
@@ -34,22 +34,3 @@ export const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
   // Interactive setup — requires terminal QR scan, hangs on HTTP
   "whatsapp_login",
 ] as const;
-
-/**
- * ACP tools that should always require explicit user approval.
- * ACP is an automation surface; we never want "silent yes" for mutating/execution tools.
- */
-export const DANGEROUS_ACP_TOOL_NAMES = [
-  "exec",
-  "spawn",
-  "shell",
-  "sessions_spawn",
-  "sessions_send",
-  "gateway",
-  "fs_write",
-  "fs_delete",
-  "fs_move",
-  "apply_patch",
-] as const;
-
-export const DANGEROUS_ACP_TOOLS = new Set<string>(DANGEROUS_ACP_TOOL_NAMES);