sync(bfmono): test(gambit): align sandbox assertion + extend runtime coverage (+19 more) (bfmono@2967fb893)

This PR is an automated gambitmono sync of bfmono Gambit packages.

- Source: `packages/gambit/`
- Core: `packages/gambit-core/`
- bfmono rev: 2967fb893

Changes:
- 2967fb893 test(gambit): align sandbox assertion + extend runtime coverage
- b746e6453 fix(gambit-core): honor directory permission scopes
- 2dcd5f19d fix(gambit-core): include orchestration worker in bootstrap reads
- 52d54d3c7 fix(gambit-core): constrain inspect worker bootstrap reads
- a4b617849 fix(gambit-core): tighten worker bootstrap reads and child deadlines
- 9b8b6fa96 fix(gambit-core): harden worker bootstrap import parsing
- 3966dcbb8 fix(gambit-core): preserve nested sandboxing in orchestration worker
- 717c5a40c test(gambit-core): add phase-5 orchestration-worker serial invariants
- 7e6296a1d feat(gambit-core): run root llm orchestration in worker sandbox
- 3c1b5851a docs(gambit): document worker sandbox defaults and rollback flags
- 14a94c886 feat(gambit): default worker exec on cli surfaces with rollback controls
- 21e6b4d37 fix(gambit-server): persist and catch backend errors across build/test/grade
- 29eaa58b7 fix(gambit): enforce inherited permissions in OpenAI compat actions
- d502df5cd feat(gambit-core): add permission-gated built-in file tooling
- c04141504 feat(gambit-cli): add session permission override flags
- 85442ffcd test(gambit-core): add worker bootstrap permission regressions
- 08bab3af1 feat(gambit-core): add worker compute runner with bridged permissions
- 70ec3b942 feat(gambit): add tool-call-aware grader schemas and root-deck guards
- cae381f00 feat(gambit): align scaffolds with product command and hourglass policies
- 5faa48b35 feat(gambit): move bot policy to folder and enforce policy summarizer flow

Do not edit this repo directly; make changes in bfmono and re-run the sync.

Author: bft-codebot

docs/external/reference/cli.md

@@ -11,15 +11,15 @@ How to run Gambit, the agent harness framework, locally and observe runs.
   - Command help: `deno run -A src/cli.ts help <command>` (or
     `deno run -A src/cli.ts <command> -h`).
 - Run once:
-  `deno run -A src/cli.ts run <deck> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose]`
+  `deno run -A src/cli.ts run <deck> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]`
 - Check models: `deno run -A src/cli.ts check <deck>`
 - REPL: `deno run -A src/cli.ts repl <deck>` (defaults to
   `src/decks/gambit-assistant.deck.md` in a local checkout). Streams by default
   and keeps state in memory for the session.
 - Test bot (CLI):
-  `deno run -A src/cli.ts test-bot <root-deck> --test-deck <persona-deck> [--context <json|string>] [--bot-input <json|string>] [--message <json|string>] [--max-turns <n>] [--state <file>] [--grade <grader-deck> ...] [--trace <file>] [--responses] [--verbose]`
+  `deno run -A src/cli.ts test-bot <root-deck> --test-deck <persona-deck> [--context <json|string>] [--bot-input <json|string>] [--message <json|string>] [--max-turns <n>] [--state <file>] [--grade <grader-deck> ...] [--trace <file>] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]`
 - Grade (CLI):
-  `deno run -A src/cli.ts grade <grader-deck> --state <file> [--model <id>] [--model-force <id>] [--trace <file>] [--responses] [--verbose]`
+  `deno run -A src/cli.ts grade <grader-deck> --state <file> [--model <id>] [--model-force <id>] [--trace <file>] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]`
 - Export bundle (CLI):
   `deno run -A src/cli.ts export [<deck>] --state <file> --out <bundle.tar.gz>`
 - Debug UI: `deno run -A src/cli.ts serve <deck> --port 8000` then open
@@ -46,6 +46,15 @@ How to run Gambit, the agent harness framework, locally and observe runs.
 - `GAMBIT_RESPONSES_MODE=1`: env alternative to `--responses` for runtime/state.
 - `GAMBIT_OPENROUTER_RESPONSES=1`: route OpenRouter calls through the Responses
   API (experimental; chat remains the default path).
+- Worker execution defaults on for deck-executing surfaces. Use
+  `--no-worker-sandbox` (or `--legacy-exec`) to roll back to legacy in-process
+  execution. `--sandbox/--no-sandbox` still work as deprecated aliases.
+- `gambit.toml` config equivalent:
+  ```toml
+  [execution]
+  worker_sandbox = false # same as --no-worker-sandbox
+  # legacy_exec = true    # equivalent rollback toggle
+  ```
 
 ## State and tracing
 

docs/external/reference/cli/commands/bot.md

@@ -1,12 +1,17 @@
 +++
 command = "bot"
 summary = "Run the Gambit bot assistant"
-usage = "gambit bot [<dir>] [--bot-root <dir>] [--model <id>] [--model-force <id>] [--responses] [--verbose]"
+usage = "gambit bot [<dir>] [--bot-root <dir>] [--model <id>] [--model-force <id>] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--bot-root <dir>        Allowed folder for bot file writes (defaults to workspace.decks if set; overrides <dir>)",
   "--model <id>            Default model id",
   "--model-force <id>      Override model id",
   "--responses             Run runtime/state in Responses mode",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
   "--verbose               Print trace events to console",
 ]
 +++

docs/external/reference/cli/commands/grade.md

@@ -1,14 +1,19 @@
 +++
 command = "grade"
 summary = "Grade a saved state file"
-usage = "gambit grade <grader-deck.(ts|md)> --state <file> [--model <id>] [--model-force <id>] [--trace <file>] [--responses] [--verbose]"
+usage = "gambit grade <grader-deck.(ts|md)> --state <file> [--model <id>] [--model-force <id>] [--trace <file>] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--grader <path>         Grader deck path (overrides positional)",
   "--state <file>          Load/persist state",
   "--model <id>            Default model id",
   "--model-force <id>      Override model id",
   "--trace <file>          Write trace events to file (JSONL)",
   "--responses             Run runtime/state in Responses mode",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
   "--verbose               Print trace events to console",
 ]
 +++

docs/external/reference/cli/commands/repl.md

@@ -1,14 +1,25 @@
 +++
 command = "repl"
 summary = "Start an interactive REPL"
-usage = "gambit repl <deck.(ts|md)> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--responses] [--verbose]"
+usage = "gambit repl <deck.(ts|md)> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--responses] [--verbose] [-A|--allow-all|--allow-<kind>] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--context <json|string> Context payload (seeds gambit_context; legacy --init still works)",
   "--message <json|string> Initial user message (sent before assistant speaks)",
   "--model <id>            Default model id",
   "--model-force <id>      Override model id",
   "--responses             Run runtime/state in Responses mode",
   "--verbose               Print trace events to console",
+  "-A, --allow-all         Allow all session permissions (read/write/run/net/env)",
+  "--allow-read[=<paths>]  Session read override (all when value omitted)",
+  "--allow-write[=<paths>] Session write override (all when value omitted)",
+  "--allow-run[=<entries>] Session run override (all when value omitted)",
+  "--allow-net[=<hosts>]   Session net override (all when value omitted)",
+  "--allow-env[=<names>]   Session env override (all when value omitted)",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
 ]
 +++
 

docs/external/reference/cli/commands/run.md

@@ -1,7 +1,7 @@
 +++
 command = "run"
 summary = "Run a deck once"
-usage = "gambit run [<deck.(ts|md)>] [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose]"
+usage = "gambit run [<deck.(ts|md)>] [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose] [-A|--allow-all|--allow-<kind>] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--context <json|string> Context payload (seeds gambit_context; legacy --init still works)",
   "--message <json|string> Initial user message (sent before assistant speaks)",
@@ -12,6 +12,17 @@ flags = [
   "--stream                Enable streaming responses",
   "--responses             Run runtime/state in Responses mode",
   "--verbose               Print trace events to console",
+  "-A, --allow-all         Allow all session permissions (read/write/run/net/env)",
+  "--allow-read[=<paths>]  Session read override (all when value omitted)",
+  "--allow-write[=<paths>] Session write override (all when value omitted)",
+  "--allow-run[=<entries>] Session run override (all when value omitted)",
+  "--allow-net[=<hosts>]   Session net override (all when value omitted)",
+  "--allow-env[=<names>]   Session env override (all when value omitted)",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
 ]
 +++
 

docs/external/reference/cli/commands/serve.md

@@ -1,7 +1,7 @@
 +++
 command = "serve"
 summary = "Run the debug UI server"
-usage = "gambit serve [<deck.(ts|md)>] [--model <id>] [--model-force <id>] [--port <n>] [--responses] [--verbose] [--watch] [--no-bundle] [--no-sourcemap]"
+usage = "gambit serve [<deck.(ts|md)>] [--model <id>] [--model-force <id>] [--port <n>] [--responses] [--verbose] [--watch] [--no-bundle] [--no-sourcemap] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--model <id>            Default model id",
   "--model-force <id>      Override model id",
@@ -13,6 +13,11 @@ flags = [
   "--sourcemap             Generate external source maps (serve; default in dev)",
   "--no-sourcemap          Disable source map generation (serve)",
   "--platform <platform>   Bundle target platform: deno (default) or web (browser)",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
   "--verbose               Print trace events to console",
 ]
 +++

docs/external/reference/cli/commands/test-bot.md

@@ -1,7 +1,7 @@
 +++
 command = "test-bot"
 summary = "Run a persona/test-bot loop"
-usage = "gambit test-bot <root-deck.(ts|md)> --test-deck <persona-deck.(ts|md)> [--context <json|string>] [--bot-input <json|string>] [--message <json|string>] [--max-turns <n>] [--state <file>] [--grade <grader-deck.(ts|md)> ...] [--trace <file>] [--responses] [--verbose]"
+usage = "gambit test-bot <root-deck.(ts|md)> --test-deck <persona-deck.(ts|md)> [--context <json|string>] [--bot-input <json|string>] [--message <json|string>] [--max-turns <n>] [--state <file>] [--grade <grader-deck.(ts|md)> ...] [--trace <file>] [--responses] [--verbose] [--worker-sandbox|--no-worker-sandbox|--legacy-exec]"
 flags = [
   "--test-deck <path>      Persona/test deck path",
   "--grade <path>          Grader deck path (repeatable)",
@@ -14,6 +14,11 @@ flags = [
   "--model-force <id>      Override model id",
   "--trace <file>          Write trace events to file (JSONL)",
   "--responses             Run runtime/state in Responses mode",
+  "--worker-sandbox        Force worker execution on",
+  "--no-worker-sandbox     Force worker execution off",
+  "--legacy-exec           Alias for --no-worker-sandbox",
+  "--sandbox               Deprecated alias for --worker-sandbox",
+  "--no-sandbox            Deprecated alias for --no-worker-sandbox",
   "--verbose               Print trace events to console",
 ]
 +++

packages/gambit-core/src/permissions.test.ts

@@ -1,11 +1,13 @@
-import { assert, assertEquals } from "@std/assert";
+import { assert, assertEquals, assertThrows } from "@std/assert";
 import * as path from "@std/path";
 import {
   canReadPath,
   canRunCommand,
   canRunPath,
+  canWritePath,
   normalizePermissionDeclaration,
   normalizePermissionDeclarationToSet,
+  type PermissionDeclarationInput,
   resolveEffectivePermissions,
 } from "./permissions.ts";
 
@@ -129,6 +131,48 @@ Deno.test("child-only inherited permissions use child baseDir for relative check
   );
 });
 
+Deno.test("path grants cover descendant files within the directory tree", () => {
+  const set = normalizePermissionDeclarationToSet(
+    {
+      read: ["./shared"],
+      write: ["./shared", "./local.txt"],
+    },
+    "/workspace/decks/root",
+  );
+  assert(set, "expected normalized permission set");
+
+  assertEquals(
+    canReadPath(set, "./shared/prompts/prompt.txt"),
+    true,
+    "read grants must apply to files beneath a declared directory",
+  );
+  assertEquals(
+    canReadPath(set, "./shared"),
+    true,
+    "read grants must apply to the directory itself",
+  );
+  assertEquals(
+    canReadPath(set, "./other/path.txt"),
+    false,
+    "read grants must not leak into sibling directories",
+  );
+  assertEquals(
+    canWritePath(set, "./shared/prompts/prompt.txt"),
+    true,
+    "write grants must apply to files beneath a declared directory",
+  );
+  assertEquals(
+    canWritePath(set, "./local.txt"),
+    true,
+    "write grants must still allow file-specific declarations",
+  );
+  assertEquals(
+    canWritePath(set, "./local.txt.bak"),
+    false,
+    "write grants must not allow unrelated files",
+  );
+});
+
 Deno.test("run grants keep path vs command semantics separate", () => {
   const set = normalizePermissionDeclarationToSet(
     {
@@ -147,22 +191,33 @@ Deno.test("run grants keep path vs command semantics separate", () => {
   assertEquals(canRunCommand(set, "bin/tool"), false);
 });
 
-Deno.test("run object-form booleans honor all-access semantics", () => {
-  const pathsTrue = normalizePermissionDeclarationToSet(
-    { run: { paths: true } },
+Deno.test("run=true grants all run access", () => {
+  const runAll = normalizePermissionDeclarationToSet(
+    { run: true },
     "/workspace",
   );
-  assert(pathsTrue, "expected normalized permission set for paths=true");
-  assertEquals(canRunPath(pathsTrue, "/workspace/bin/anything"), true);
-  assertEquals(canRunCommand(pathsTrue, "anything"), true);
+  assert(runAll, "expected normalized permission set for run=true");
+  assertEquals(canRunPath(runAll, "/workspace/bin/anything"), true);
+  assertEquals(canRunCommand(runAll, "anything"), true);
+});
 
-  const commandsTrue = normalizePermissionDeclarationToSet(
-    { run: { commands: true } },
-    "/workspace",
+Deno.test("run object-form booleans are rejected", () => {
+  const invalidPaths = {
+    run: { paths: true },
+  } as unknown as PermissionDeclarationInput;
+  const invalidCommands = {
+    run: { commands: false },
+  } as unknown as PermissionDeclarationInput;
+  assertThrows(
+    () => normalizePermissionDeclarationToSet(invalidPaths, "/workspace"),
+    Error,
+    "permissions.run.paths must be an array in object form",
+  );
+  assertThrows(
+    () => normalizePermissionDeclarationToSet(invalidCommands, "/workspace"),
+    Error,
+    "permissions.run.commands must be an array in object form",
   );
-  assert(commandsTrue, "expected normalized permission set for commands=true");
-  assertEquals(canRunPath(commandsTrue, "/workspace/bin/anything"), true);
-  assertEquals(canRunCommand(commandsTrue, "anything"), true);
 });
 
 Deno.test("unspecified kinds deny by default when a layer is provided", () => {

packages/gambit-core/src/permissions.ts

@@ -11,8 +11,8 @@ export type RunPermissionInput =
   | boolean
   | Array<string>
   | {
-    paths?: boolean | Array<string>;
-    commands?: boolean | Array<string>;
+    paths?: Array<string>;
+    commands?: Array<string>;
   };
 
 export type PermissionDeclarationInput = Partial<{
@@ -175,19 +175,22 @@ function normalizeRun(
     paths?: unknown;
     commands?: unknown;
   };
+  if (typeof record.paths === "boolean") {
+    throw new Error(
+      "permissions.run.paths must be an array in object form; use permissions.run=true for full run access",
+    );
+  }
+  if (typeof record.commands === "boolean") {
+    throw new Error(
+      "permissions.run.commands must be an array in object form; use permissions.run=true for full run access",
+    );
+  }
   const pathsScope = normalizeList(record.paths, "run", baseDir, {
     resolvePaths: true,
   });
   const commandsScope = normalizeList(record.commands, "run", baseDir, {
     resolvePaths: false,
   });
-  if (pathsScope.all || commandsScope.all) {
-    return {
-      all: true,
-      paths: new Set<string>(),
-      commands: new Set<string>(),
-    };
-  }
   return {
     all: false,
     paths: pathsScope.values,
@@ -424,9 +427,20 @@ export function resolveEffectivePermissions(args: {
   };
 }
 
+/**
+ * Checks whether `target` is covered by `scope`, treating each value as either
+ * an exact path grant or the root of an allowed directory tree.
+ */
 function matchScope(scope: NormalizedScope, target: string): boolean {
   if (scope.all) return true;
-  return scope.values.has(target);
+  for (const root of scope.values) {
+    if (root === target) return true;
+    const rel = path.relative(root, target);
+    if (rel.length > 0 && !rel.startsWith("..") && !path.isAbsolute(rel)) {
+      return true;
+    }
+  }
+  return false;
 }
 
 /**