feat: detect wildcard allowedTools as unrestricted

[brandonwise]

Summary

Wildcard tool allowlists (allowedTools: ["*"], all, any) were being treated as safe restrictions.

This PR makes wildcard allowlists fail closed across scan + inspect so broad tool exposure is surfaced instead of silently passing.

Why now

Recent demand signals keep converging on the same failure mode: agentic permissions without real guardrails.

• X discussion of production incidents tied to over-permissioned coding agents: https://x.com/niklas_wortmann/status/2031776933730800122
• Product Hunt launches now positioning guardrails/controls as core value props: https://www.producthunt.com/products/venn-ai-2
• Reddit threads repeatedly call out weak eval/guardrail controls in prod agents: https://www.reddit.com/r/AI_Agents/comments/1qq2yve/how_are_people_actually_evaluating_agents_once/

What changed

• Added shared config helpers to classify allowedTools as:
  • effective (explicit least-privilege entries)
  • wildcard/unrestricted (*, all, any, etc.)
• Updated AW-007 to flag wildcard allowlists as effectively unrestricted with clearer remediation text.
• Updated AW-003 (shell) and AW-008 (write-capable tools) so wildcard allowlists no longer suppress findings.
• Updated inspect output:
  • allowlist_present=false when wildcard allowlists are used
  • adds wildcard_allowlist risk tag
• Added unit coverage for all new wildcard behaviors.

Validation (deep)

1) Full test suite (repo-level)

• cargo test --quiet -- --test-threads=1
  ✅ PASS (202 unit tests + 34 integration tests)

2) Targeted tests for changed modules

• cargo test wildcard_allowlist --quiet
  ✅ PASS (5 targeted tests)

3) Lint/type/build checks

• cargo clippy --all-targets -- -D warnings
  ✅ PASS
• cargo build --release
  ✅ PASS

4) Smoke/integration behavior check

Command run:

tmp=$(mktemp /tmp/agentwise-wildcard-XXXXXX) && cat > "$tmp" <<'JSON'
{
  "mcpServers": {
    "fetch": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-fetch"],
      "allowedTools": ["*"]
    }
  }
}
JSON
cargo run --quiet -- scan "$tmp" --format json > /tmp/agentwise-wildcard-scan.json
python3 - <<'PY'
import json
obj=json.load(open('/tmp/agentwise-wildcard-scan.json'))
aw007=[f for f in obj['findings'] if f.get('rule_id')=='AW-007']
print('AW-007 findings:', len(aw007))
print('Top title:', aw007[0]['title'] if aw007 else 'none')
PY

✅ PASS

• AW-007 findings: 1
• Top title: Wildcard tool allowlist on high-risk server

Risk / rollout

Low-risk, scoped rule-hardening change. No unrelated refactors.