diff --git a/docs/gateway/tools-invoke-http-api.md b/docs/gateway/tools-invoke-http-api.md
index 5c22ee7830d..303b1094518 100644
--- a/docs/gateway/tools-invoke-http-api.md
+++ b/docs/gateway/tools-invoke-http-api.md
@@ -68,11 +68,19 @@ Important boundary notes:
 
 Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool):
 
-- `cron`
-- `sessions_spawn`
-- `sessions_send`
-- `gateway`
-- `whatsapp_login`
+- `exec` — direct command execution (RCE surface)
+- `spawn` — arbitrary child process creation (RCE surface)
+- `shell` — shell command execution (RCE surface)
+- `fs_write` — arbitrary file mutation on the host
+- `fs_delete` — arbitrary file deletion on the host
+- `fs_move` — arbitrary file move/rename on the host
+- `apply_patch` — patch application can rewrite arbitrary files
+- `sessions_spawn` — session orchestration; spawning agents remotely is RCE
+- `sessions_send` — cross-session message injection
+- `cron` — persistent automation control plane
+- `gateway` — gateway control plane; prevents reconfiguration via HTTP
+- `nodes` — node command relay can reach system.run on paired hosts
+- `whatsapp_login` — interactive setup requiring terminal QR scan; hangs on HTTP
 
 You can customize this deny list via `gateway.tools`: