Summary

Add optional tools_include and tools_exclude fields to gateways that filter which tools are imported from a remote MCP server during refresh, registration, update, and activation.

Use Case

When connecting to a single MCP backend that exposes many tools (e.g. an IT service management API with 40+ tools), it is often desirable to split it into multiple gateways serving different tool subsets:

• Gateway A: all tools except project management (tools_exclude: ["*project*"])
• Gateway B: only project management tools (tools_include: ["*project*"])

This enables different authentication schemes per gateway (e.g. OAuth for general tools, API key for project tools) without requiring upstream server changes.

Proposed Changes

• DB model: tools_include and tools_exclude JSON columns on Gateway
• Schemas: Fields on GatewayCreate, GatewayUpdate, GatewayRead
• Gateway service: _apply_tool_filters() helper using fnmatch glob patterns, applied at 4 call sites (refresh, register, update, activate)
• Export/Import: Include tool filters in gateway export/import
• Admin UI: Input fields for comma-separated glob patterns in create and edit forms
• Alembic migration: New columns with IF NOT EXISTS guard

Filtering Logic

1. If tools_include is set, only tools whose name matches at least one include pattern are kept
2. If tools_exclude is set, tools matching any exclude pattern are removed
3. When both are set, include is applied first, then exclude
4. Empty/null means no filtering (all tools pass through)

Patterns use Python fnmatch syntax (e.g. *project*, manage-ticket*).