Function match_tool_allowlist 

pub fn match_tool_allowlist(
    base: &Arc<dyn ToolRegistry>,
    allow: &[String],
) -> Result<AllowlistMatch, String>

Match a profile’s allow list against the names in base plus the virtual spawn_agent member. Each entry in allow is a glob pattern (via globset, the same engine as hook tool_glob / skill triggers); a bare tool name is the degenerate case of a glob with no wildcards, so exact allowlists keep working unchanged.

Applied after the full session tool pool (built-in + MCP) is assembled — matching earlier against a static, MCP-free pool would drop mcp__* tools not yet connected.

Errors

• An invalid glob pattern (returns the pattern text).
• A pattern that matches nothing — no real pool tool and not spawn_agent (fail-loud: a profile that allows a tool/pattern matching nothing is a configuration error, e.g. a misspelled server prefix). Returns the offending pattern text.