fix: align tool allow lists with gh-aw (#279)

* fix: align tool allow lists with gh-aw

- Emit --allow-all-tools when bash wildcard (:* or *) is set, dropping all
  individual --allow-tool flags (matches gh-aw computeCopilotToolArguments)
- Default to --allow-all-tools when bash is not specified (matches gh-aw's
  applyDefaultTools sandbox behavior — bash: [*] is the default when sandbox
  is enabled, and ado-aw agents always run in AWF sandbox)
- Emit --allow-all-paths when edit tool is enabled (matches gh-aw
  GetExecutionSteps)
- Remove DEFAULT_BASH_COMMANDS constant (no longer the default)
- Update tests and AGENTS.md documentation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address review feedback on tool allow list comments

- Add comment noting wildcard+command mixing is unsupported (cmds.len()==1)
- Add comment explaining why restricted-bash path emits both --allow-tool
  write and --allow-all-paths (tool identity vs path scope)
- Replace silent vec![] fallback with debug_assert! in unreachable None arm

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address remaining review feedback on tool allow lists

- Update AGENTS.md copilot_params docs: --allow-all-tools now mentions
  bash-omitted default, --allow-tool references configured tools instead
  of deleted DEFAULT_BASH_COMMANDS list
- Replace debug_assert!(false, ...) with unreachable!() for the
  bash=None invariant (idiomatic Rust for proven-unreachable paths)
- Strengthen test_copilot_params_custom_mcp_no_mcp_flag assertion to
  check --allow-tool (not non-existent --mcp flag)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

AGENTS.md

@@ -393,24 +393,20 @@ The `tools` field controls which tools are available to the agent. Both sub-fiel
 
 #### Default Bash Command Allow-list
 
-When `tools.bash` is omitted, the agent can invoke the following shell commands:
-
-```
-cat, date, echo, grep, head, ls, pwd, sort, tail, uniq, wc, yq
-```
+When `tools.bash` is omitted, the agent defaults to **unrestricted bash access** (`--allow-all-tools`). This matches gh-aw's sandbox behavior — since ado-aw agents always run inside the AWF sandbox, all tools are allowed by default.
 
 #### Configuring Bash Access
 
 ```yaml
-# Default: safe built-in command list (bash field omitted)
+# Default: unrestricted bash access (bash field omitted → --allow-all-tools)
 tools:
   edit: true
 
-# Unrestricted bash access (use with caution)
+# Explicit unrestricted bash (same as default) — also accepts "*"
 tools:
   bash: [":*"]
 
-# Explicit command allow-list
+# Explicit command allow-list (restricts to named commands only)
 tools:
   bash: ["cat", "ls", "grep", "find"]
 
@@ -637,8 +633,10 @@ Should be replaced with the human-readable name from the front matter (e.g., "Da
 Additional params provided to copilot CLI. The compiler generates:
 - `--model <model>` - AI model from `engine` front matter field (default: claude-opus-4.5)
 - `--no-ask-user` - Prevents interactive prompts
-- `--allow-tool <tool>` - Explicitly allows specific tools (github, safeoutputs, write, shell commands like cat, date, echo, grep, head, ls, pwd, sort, tail, uniq, wc, yq)
 - `--disable-builtin-mcps` - Disables all built-in Copilot CLI MCPs (single flag, no argument)
+- `--allow-all-tools` - When bash is omitted (default) or has a wildcard (`":*"` or `"*"`), allows all tools instead of individual `--allow-tool` flags
+- `--allow-tool <tool>` - When bash is NOT wildcard, explicitly allows configured tools (github, safeoutputs, write, and shell commands from the `bash:` field plus any runtime-required commands)
+- `--allow-all-paths` - When `edit` tool is enabled (default), allows the agent to write to any file path
 
 MCP servers are handled entirely by the MCP Gateway (MCPG) and are not passed as copilot CLI params.