hitl/generic-approval: drop client-side MCP gate, dispatch approve_always

The 'Always Allow' button is now driven entirely by the server-supplied
allowed_decisions palette. The card no longer peeks at
context.mcp_connector_id to decide whether to render the button, and no
longer fires a separate trust-tool HTTP call on click - one
{type: 'approve_always'} dispatch is enough; the agent middleware
handles the in-memory promotion and (for MCP tools) the database save
via its trusted_tool_saver callback.

Drops the dead trustMCPTool / untrustMCPTool service helpers - they had
no remaining callers after this rework. The backing HTTP routes are
kept on the server as a programmatic surface.

surfsense_web/lib/apis/connectors-api.service.ts

@@ -405,29 +405,6 @@ class ConnectorsApiService {
 		);
 	};
 
-	// =============================================================================
-	// MCP Tool Trust (Allow-List) Methods
-	// =============================================================================
-
-	/**
-	 * Add a tool to the MCP connector's "Always Allow" list.
-	 * Subsequent calls to this tool will skip HITL approval.
-	 */
-	trustMCPTool = async (connectorId: number, toolName: string): Promise<void> => {
-		await baseApiService.post(`/api/v1/connectors/mcp/${connectorId}/trust-tool`, undefined, {
-			body: { tool_name: toolName },
-		});
-	};
-
-	/**
-	 * Remove a tool from the MCP connector's "Always Allow" list.
-	 */
-	untrustMCPTool = async (connectorId: number, toolName: string): Promise<void> => {
-		await baseApiService.post(`/api/v1/connectors/mcp/${connectorId}/untrust-tool`, undefined, {
-			body: { tool_name: toolName },
-		});
-	};
-
 	/** Live stats for the Obsidian connector tile. */
 	getObsidianStats = async (vaultId: string): Promise<ObsidianStats> => {
 		return baseApiService.get<ObsidianStats>(