- treat tools as a global allowlist across built-in, extension, and SDK tools - remove process-cwd singleton tool usage from SDK and CLI paths - add regression coverage for extension tool filtering closes #3452 closes #2835