fix(core): conditionally expose additional_permissions in shell tool (#23729)

Co-authored-by: Sandy Tao <sandytao520@icloud.com>

packages/core/src/policy/policy-engine.ts

@@ -702,15 +702,6 @@ export class PolicyEngine {
       }
     }
 
-    // Sandbox Expansion requests MUST always be confirmed by the user,
-    // even if the base command is otherwise ALLOWED by the policy engine.
-    if (
-      decision === PolicyDecision.ALLOW &&
-      toolCall.args?.['additional_permissions']
-    ) {
-      decision = PolicyDecision.ASK_USER;
-    }
-
     return {
       decision: this.applyNonInteractiveMode(decision),
       rule: matchedRule,