fix(policy): preserve optional tool opt-ins for allow-all configs

src/agents/sandbox-tool-policy.test.ts

@@ -39,7 +39,7 @@ describe("pickSandboxToolPolicy", () => {
         alsoAllow: ["web_search"],
       }),
     ).toEqual({
-      allow: [],
+      allow: ["*", "web_search"],
       deny: undefined,
     });
   });

src/agents/sandbox-tool-policy.ts

@@ -14,7 +14,7 @@ function unionAllow(base?: string[], extra?: string[]): string[] | undefined {
     return Array.from(new Set(["*", ...extra]));
   }
   if (base.length === 0) {
-    return base;
+    return Array.from(new Set(["*", ...extra]));
   }
   return Array.from(new Set([...base, ...extra]));
 }

src/agents/tool-policy.test.ts

@@ -5,6 +5,7 @@ import type { SandboxToolPolicy } from "./sandbox/types.js";
 import { TOOL_POLICY_CONFORMANCE } from "./tool-policy.conformance.js";
 import {
   applyOwnerOnlyToolPolicy,
+  collectExplicitAllowlist,
   expandToolGroups,
   isOwnerOnlyToolName,
   normalizeToolName,
@@ -109,6 +110,16 @@ describe("tool-policy", () => {
     expect(applyOwnerOnlyToolPolicy(tools, true)).toHaveLength(1);
   });
 
+  it("preserves explicit alsoAllow hints when allow is empty", () => {
+    expect(
+      collectExplicitAllowlist([
+        {
+          allow: ["*", "optional-demo"],
+        },
+      ]),
+    ).toContain("optional-demo");
+  });
+
   it("strips nodes for non-owner senders via fallback policy", () => {
     const tools = [
       {