Read-only regression coverage for dynamic toolsets and aliases

[davidahmann]

Problem observed

The current inventory logic already fail-closes correctly in read-only mode, but there was no dedicated regression coverage for two sensitive paths: dynamic toolset enablement (ToolsForToolset) and deprecated alias lookup through ForMCPRequest().

Why it matters operationally

These paths sit directly on capability exposure boundaries. If a future inventory refactor regresses one of them, write-capable tools could become reachable in environments that operators explicitly configured as read-only.

Minimal repro

1. Build an inventory in read-only mode.
2. Include a toolset with both read and write tools.
3. Request tools through `ToolsForToolset` and a deprecated alias through `ForMCPRequest`.
4. Confirm only read-only tools remain available.

Fix approach

This change is coverage-only. It adds one regression test proving ToolsForToolset still filters out write tools under read-only mode, and one regression test proving deprecated aliases do not bypass read-only filtering when resolving a tools/call request.

Validation evidence

• go test ./pkg/inventory -run 'TestToolsForToolset_RespectsReadOnly|TestForMCPRequest_ToolsCall_DeprecatedAliasRespectsReadOnly' passed

Open follow-up question for maintainers

Would you want similar read-only regression coverage added around lockdown-mode inventory construction as a separate follow-up, or is keeping this change scoped to the two reproduced paths the better trade-off?

Inspired by research context: CAISI publishes independent, reproducible AI agent governance research: https://caisi.dev