sync(bfmono): fix(gambit-server): persist and catch backend errors across build/test/grade (+19 more) (bfmono@21e6b4d37)

This PR is an automated gambitmono sync of bfmono Gambit packages.

- Source: `packages/gambit/`
- Core: `packages/gambit-core/`
- bfmono rev: 21e6b4d37

Changes:
- 21e6b4d37 fix(gambit-server): persist and catch backend errors across build/test/grade
- 29eaa58b7 fix(gambit): enforce inherited permissions in OpenAI compat actions
- d502df5cd feat(gambit-core): add permission-gated built-in file tooling
- c04141504 feat(gambit-cli): add session permission override flags
- 85442ffcd test(gambit-core): add worker bootstrap permission regressions
- 08bab3af1 feat(gambit-core): add worker compute runner with bridged permissions
- 70ec3b942 feat(gambit): add tool-call-aware grader schemas and root-deck guards
- cae381f00 feat(gambit): align scaffolds with product command and hourglass policies
- 5faa48b35 feat(gambit): move bot policy to folder and enforce policy summarizer flow
- 9a36c4a7e fix(gambit): align env loading with init and block .gambit env writes
- dbe7c54ca feat(gambit-bot): add file actions and scenario deck structure
- 855784d6b docs(gambit): add public permissions guide and API jsdoc
- 8f0ca0a85 feat(gambit): trace effective permission layers at runtime
- 90b4b5071 feat(gambit-core): add phase-1 permission contract primitives
- df9280f6a fix(gambit): restore build-bot deck path compatibility
- daca46555 feat(simulator-ui): wire build, test, and grade to workspace sessions
- e404a17d7 feat(gambit): add workspace-backed serve and bot sandbox flow
- 5f4fa86b9 feat(gambit): scaffold workspace defaults in init
- cf9b23778 feat(gambit-core): add schema guards and model param passthrough
- d0e5a9617 [gambit] move chat message into transcript so it scrolls

Do not edit this repo directly; make changes in bfmono and re-run the sync.

Author: bft-codebot

docs/external/reference/cli/commands/repl.md

@@ -1,14 +1,22 @@
 +++
 command = "repl"
 summary = "Start an interactive REPL"
-usage = "gambit repl <deck.(ts|md)> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--responses] [--verbose]"
+usage = "gambit repl <deck.(ts|md)> [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--responses] [--verbose] [-A|--allow-all|--allow-<kind>] [--sandbox|--no-sandbox]"
 flags = [
   "--context <json|string> Context payload (seeds gambit_context; legacy --init still works)",
   "--message <json|string> Initial user message (sent before assistant speaks)",
   "--model <id>            Default model id",
   "--model-force <id>      Override model id",
   "--responses             Run runtime/state in Responses mode",
   "--verbose               Print trace events to console",
+  "-A, --allow-all         Allow all session permissions (read/write/run/net/env)",
+  "--allow-read[=<paths>]  Session read override (all when value omitted)",
+  "--allow-write[=<paths>] Session write override (all when value omitted)",
+  "--allow-run[=<entries>] Session run override (all when value omitted)",
+  "--allow-net[=<hosts>]   Session net override (all when value omitted)",
+  "--allow-env[=<names>]   Session env override (all when value omitted)",
+  "--sandbox               Force worker sandbox on",
+  "--no-sandbox            Force worker sandbox off",
 ]
 +++
 

docs/external/reference/cli/commands/run.md

@@ -1,7 +1,7 @@
 +++
 command = "run"
 summary = "Run a deck once"
-usage = "gambit run [<deck.(ts|md)>] [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose]"
+usage = "gambit run [<deck.(ts|md)>] [--context <json|string>] [--message <json|string>] [--model <id>] [--model-force <id>] [--trace <file>] [--state <file>] [--stream] [--responses] [--verbose] [-A|--allow-all|--allow-<kind>] [--sandbox|--no-sandbox]"
 flags = [
   "--context <json|string> Context payload (seeds gambit_context; legacy --init still works)",
   "--message <json|string> Initial user message (sent before assistant speaks)",
@@ -12,6 +12,14 @@ flags = [
   "--stream                Enable streaming responses",
   "--responses             Run runtime/state in Responses mode",
   "--verbose               Print trace events to console",
+  "-A, --allow-all         Allow all session permissions (read/write/run/net/env)",
+  "--allow-read[=<paths>]  Session read override (all when value omitted)",
+  "--allow-write[=<paths>] Session write override (all when value omitted)",
+  "--allow-run[=<entries>] Session run override (all when value omitted)",
+  "--allow-net[=<hosts>]   Session net override (all when value omitted)",
+  "--allow-env[=<names>]   Session env override (all when value omitted)",
+  "--sandbox               Force worker sandbox on",
+  "--no-sandbox            Force worker sandbox off",
 ]
 +++
 

packages/gambit-core/src/permissions.test.ts

@@ -1,11 +1,12 @@
-import { assert, assertEquals } from "@std/assert";
+import { assert, assertEquals, assertThrows } from "@std/assert";
 import * as path from "@std/path";
 import {
   canReadPath,
   canRunCommand,
   canRunPath,
   normalizePermissionDeclaration,
   normalizePermissionDeclarationToSet,
+  type PermissionDeclarationInput,
   resolveEffectivePermissions,
 } from "./permissions.ts";
 
@@ -147,22 +148,33 @@ Deno.test("run grants keep path vs command semantics separate", () => {
   assertEquals(canRunCommand(set, "bin/tool"), false);
 });
 
-Deno.test("run object-form booleans honor all-access semantics", () => {
-  const pathsTrue = normalizePermissionDeclarationToSet(
-    { run: { paths: true } },
+Deno.test("run=true grants all run access", () => {
+  const runAll = normalizePermissionDeclarationToSet(
+    { run: true },
     "/workspace",
   );
-  assert(pathsTrue, "expected normalized permission set for paths=true");
-  assertEquals(canRunPath(pathsTrue, "/workspace/bin/anything"), true);
-  assertEquals(canRunCommand(pathsTrue, "anything"), true);
+  assert(runAll, "expected normalized permission set for run=true");
+  assertEquals(canRunPath(runAll, "/workspace/bin/anything"), true);
+  assertEquals(canRunCommand(runAll, "anything"), true);
+});
 
-  const commandsTrue = normalizePermissionDeclarationToSet(
-    { run: { commands: true } },
-    "/workspace",
+Deno.test("run object-form booleans are rejected", () => {
+  const invalidPaths = {
+    run: { paths: true },
+  } as unknown as PermissionDeclarationInput;
+  const invalidCommands = {
+    run: { commands: false },
+  } as unknown as PermissionDeclarationInput;
+  assertThrows(
+    () => normalizePermissionDeclarationToSet(invalidPaths, "/workspace"),
+    Error,
+    "permissions.run.paths must be an array in object form",
+  );
+  assertThrows(
+    () => normalizePermissionDeclarationToSet(invalidCommands, "/workspace"),
+    Error,
+    "permissions.run.commands must be an array in object form",
   );
-  assert(commandsTrue, "expected normalized permission set for commands=true");
-  assertEquals(canRunPath(commandsTrue, "/workspace/bin/anything"), true);
-  assertEquals(canRunCommand(commandsTrue, "anything"), true);
 });
 
 Deno.test("unspecified kinds deny by default when a layer is provided", () => {

packages/gambit-core/src/permissions.ts

@@ -11,8 +11,8 @@ export type RunPermissionInput =
   | boolean
   | Array<string>
   | {
-    paths?: boolean | Array<string>;
-    commands?: boolean | Array<string>;
+    paths?: Array<string>;
+    commands?: Array<string>;
   };
 
 export type PermissionDeclarationInput = Partial<{
@@ -175,19 +175,22 @@ function normalizeRun(
     paths?: unknown;
     commands?: unknown;
   };
+  if (typeof record.paths === "boolean") {
+    throw new Error(
+      "permissions.run.paths must be an array in object form; use permissions.run=true for full run access",
+    );
+  }
+  if (typeof record.commands === "boolean") {
+    throw new Error(
+      "permissions.run.commands must be an array in object form; use permissions.run=true for full run access",
+    );
+  }
   const pathsScope = normalizeList(record.paths, "run", baseDir, {
     resolvePaths: true,
   });
   const commandsScope = normalizeList(record.commands, "run", baseDir, {
     resolvePaths: false,
   });
-  if (pathsScope.all || commandsScope.all) {
-    return {
-      all: true,
-      paths: new Set<string>(),
-      commands: new Set<string>(),
-    };
-  }
   return {
     all: false,
     paths: pathsScope.values,