inventory: expose stable hidden-tool reason codes

[davidahmann]

Problem

Tool filtering behavior was deterministic but did not expose stable machine-readable reason codes for why tools are hidden under read-only/toolset/feature-filter gates.

Why now

Operators and downstream integrations need convergent filter diagnostics without relying on implicit behavior or log parsing.

What changed

• Added stable HiddenToolReason codes and HiddenTools(ctx) API to return hidden tools with first-match reason.
• Refactored filter evaluation into a shared ordered path used by both isToolEnabled and HiddenTools.
• Added regression tests covering read-only, toolset, feature flag, builder-filter false/error paths.

Validation

• go test ./pkg/inventory -run HiddenTools -count=1

Refs #2197

[davidahmann]

This change gives operators deterministic hidden-tool diagnostics across read-only, toolset, feature-flag, and builder-filter gates.
The patch is focused on inventory filtering: a shared ordered evaluator now powers both enablement and new hidden-tool reason reporting, with regression tests for each reason class.
Validation: go test ./pkg/inventory -run HiddenTools -count=1 (pass).
Blockers/Risks: none currently identified.
Inspired by research context: CAISI publishes independent, reproducible AI agent governance research: https://caisi.dev