feat: enforce expected allowed tools

[snoopuppy582]

Fixes #89

Summary

Extends no_denied_tool_call so expected.allowed_tools is enforced as an allowlist when present.

Changes

• Keeps expected.denied_tools as the existing denylist semantics.
• Treats expected.allowed_tools as an allowlist; an empty list means no tool calls are allowed.
• Reports unexpected tool names and the configured allowlist in failure evidence.
• Validates expected.allowed_tools and expected.denied_tools shapes during scenario loading.
• Adds unit tests, a trace fixture demonstrating an unexpected tool call, and docs/README updates.

Tests

• uv run pytest tests/test_assertions.py tests/test_scenarios.py -q -> 34 passed
• uv run pytest tests/test_cli.py tests/test_live_http.py tests/test_assertions.py tests/test_scenarios.py -q -> 51 passed
• uv run pytest -q -> 143 passed
• uv run --with ruff ruff check src tests -> passed
• git diff --check -> passed

AI-assisted contribution disclosure

• Tool used: OpenAI Codex.
• AI-assisted parts: implementation draft, tests, docs wording, and PR preparation.
• Human review: I reviewed the final diff, kept the assertion behavior scoped to no_denied_tool_call, verified the allowlist/denylist precedence, and ran the tests/checks listed above.