@bolt-foundry/gambit-core 0.8.1 → 0.8.5-rc.3

package/script/src/runtime.js

@@ -33,11 +33,17 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.RunCanceledError = void 0;
 exports.isGambitEndSignal = isGambitEndSignal;
+exports.isRunCanceledError = isRunCanceledError;
 exports.runDeck = runDeck;
+const dntShim = __importStar(require("../_dnt.shims.js"));
 const path = __importStar(require("../deps/jsr.io/@std/path/1.1.4/mod.js"));
 const constants_js_1 = require("./constants.js");
 const loader_js_1 = require("./loader.js");
+const permissions_js_1 = require("./permissions.js");
+const runtime_exec_host_js_1 = require("./runtime_exec_host.js");
+const runtime_worker_host_js_1 = require("./runtime_worker_host.js");
 const schema_js_1 = require("./schema.js");
 function isGambitEndSignal(value) {
     return Boolean(value &&
@@ -50,6 +56,301 @@ function randomId(prefix) {
     // Keep IDs short enough for OpenAI/OpenRouter tool_call id limits (~40 chars).
     return `${prefix}-${suffix}`;
 }
+const WORKER_SANDBOX_ENV = "GAMBIT_DECK_WORKER_SANDBOX";
+const WORKER_TIMEOUT_MESSAGE = "Timeout exceeded";
+const RUN_CANCELED_MESSAGE = "Run canceled";
+const WORKER_SANDBOX_SIGNAL_UNSUPPORTED_MESSAGE = "workerSandbox is unsupported when `signal` is provided.";
+const INSPECT_WORKER_TIMEOUT_MS = 1_500;
+const INSPECT_WORKER_TIMEOUT_MESSAGE = "Deck inspection timed out";
+const BUILTIN_TOOL_READ_FILE = "read_file";
+const BUILTIN_TOOL_LIST_DIR = "list_dir";
+const BUILTIN_TOOL_GREP_FILES = "grep_files";
+const BUILTIN_TOOL_APPLY_PATCH = "apply_patch";
+const BUILTIN_TOOL_EXEC = "exec";
+const BUILTIN_TOOL_NAMES = new Set([
+    BUILTIN_TOOL_READ_FILE,
+    BUILTIN_TOOL_LIST_DIR,
+    BUILTIN_TOOL_GREP_FILES,
+    BUILTIN_TOOL_APPLY_PATCH,
+    BUILTIN_TOOL_EXEC,
+]);
+const TRUSTED_SCHEMA_IMPORT_PREFIXES = [
+    "@bolt-foundry/gambit-core/schemas",
+    "gambit://schemas",
+];
+class RunCanceledError extends Error {
+    constructor(message = RUN_CANCELED_MESSAGE) {
+        super(message);
+        Object.defineProperty(this, "code", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: "run_canceled"
+        });
+        this.name = "RunCanceledError";
+    }
+}
+exports.RunCanceledError = RunCanceledError;
+class WorkerSandboxSignalUnsupportedError extends Error {
+    constructor(message = WORKER_SANDBOX_SIGNAL_UNSUPPORTED_MESSAGE) {
+        super(message);
+        Object.defineProperty(this, "code", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: "worker_sandbox_signal_unsupported"
+        });
+        this.name = "WorkerSandboxSignalUnsupportedError";
+    }
+}
+function isRunCanceledError(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    const name = err.name;
+    const code = err.code;
+    if (name === "RunCanceledError" || code === "run_canceled")
+        return true;
+    if (name === "AbortError")
+        return true;
+    return false;
+}
+function shouldUseWorkerSandbox() {
+    let raw;
+    try {
+        raw = dntShim.Deno.env.get(WORKER_SANDBOX_ENV);
+    }
+    catch {
+        return false;
+    }
+    raw = raw?.trim().toLowerCase();
+    return raw === "1" || raw === "true" || raw === "yes";
+}
+function normalizedScopeToWire(scope) {
+    if (scope.all)
+        return true;
+    if (scope.values.size === 0)
+        return false;
+    return Array.from(scope.values).sort();
+}
+function normalizedRunToWire(scope) {
+    if (scope.all)
+        return true;
+    if (scope.paths.size === 0 && scope.commands.size === 0)
+        return false;
+    return {
+        paths: Array.from(scope.paths).sort(),
+        commands: Array.from(scope.commands).sort(),
+    };
+}
+function toWirePermissionSet(set) {
+    return {
+        baseDir: set.baseDir,
+        read: normalizedScopeToWire(set.read),
+        write: normalizedScopeToWire(set.write),
+        run: normalizedRunToWire(set.run),
+        net: normalizedScopeToWire(set.net),
+        env: normalizedScopeToWire(set.env),
+    };
+}
+function wireScopeToNormalized(scope) {
+    if (scope === true)
+        return { all: true, values: new Set() };
+    if (scope === false)
+        return { all: false, values: new Set() };
+    return { all: false, values: new Set(scope) };
+}
+function wireRunToNormalized(scope) {
+    if (scope === true) {
+        return {
+            all: true,
+            paths: new Set(),
+            commands: new Set(),
+        };
+    }
+    if (scope === false) {
+        return {
+            all: false,
+            paths: new Set(),
+            commands: new Set(),
+        };
+    }
+    return {
+        all: false,
+        paths: new Set(scope.paths),
+        commands: new Set(scope.commands),
+    };
+}
+function fromWirePermissionSet(set) {
+    return {
+        baseDir: set.baseDir,
+        read: wireScopeToNormalized(set.read),
+        write: wireScopeToNormalized(set.write),
+        run: wireRunToNormalized(set.run),
+        net: wireScopeToNormalized(set.net),
+        env: wireScopeToNormalized(set.env),
+    };
+}
+function normalizePermissionBaseDir(set, baseDir) {
+    return {
+        ...set,
+        baseDir,
+        read: { all: set.read.all, values: new Set(set.read.values) },
+        write: { all: set.write.all, values: new Set(set.write.values) },
+        run: {
+            all: set.run.all,
+            paths: new Set(set.run.paths),
+            commands: new Set(set.run.commands),
+        },
+        net: { all: set.net.all, values: new Set(set.net.values) },
+        env: { all: set.env.all, values: new Set(set.env.values) },
+    };
+}
+function deadlineForRun(guardrails, existing) {
+    const timeoutDeadline = performance.now() + guardrails.timeoutMs;
+    if (typeof existing === "number" && Number.isFinite(existing)) {
+        return Math.min(existing, timeoutDeadline);
+    }
+    return timeoutDeadline;
+}
+function ensureNotExpired(deadlineMs) {
+    if (performance.now() > deadlineMs) {
+        throw new Error(WORKER_TIMEOUT_MESSAGE);
+    }
+}
+function throwIfCanceled(signal) {
+    if (!signal?.aborted)
+        return;
+    const reason = signal.reason;
+    if (typeof reason === "string" && reason.trim().length > 0) {
+        throw new RunCanceledError(reason);
+    }
+    if (reason instanceof Error && reason.message.trim().length > 0) {
+        throw new RunCanceledError(reason.message);
+    }
+    throw new RunCanceledError();
+}
+function ensureRunActive(deadlineMs, signal) {
+    throwIfCanceled(signal);
+    ensureNotExpired(deadlineMs);
+}
+function isTrustedSchemaImportKey(key) {
+    const normalized = key.trim();
+    if (!normalized)
+        return false;
+    return TRUSTED_SCHEMA_IMPORT_PREFIXES.some((prefix) => normalized === prefix || normalized.startsWith(`${prefix}/`));
+}
+function tryReadWorkspaceConfigPath(deckPath) {
+    const startDir = path.dirname(path.resolve(deckPath));
+    let current = startDir;
+    while (true) {
+        const denoJson = path.join(current, "deno.json");
+        const denoJsonc = path.join(current, "deno.jsonc");
+        try {
+            if (dntShim.Deno.statSync(denoJson).isFile)
+                return denoJson;
+        }
+        catch {
+            // continue search
+        }
+        try {
+            if (dntShim.Deno.statSync(denoJsonc).isFile)
+                return denoJsonc;
+        }
+        catch {
+            // continue search
+        }
+        const parent = path.dirname(current);
+        if (parent === current)
+            break;
+        current = parent;
+    }
+    return undefined;
+}
+function readWorkspaceImportMapKeys(configPath) {
+    const text = dntShim.Deno.readTextFileSync(configPath);
+    const parsed = parseWorkspaceConfig(text);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) ||
+        !parsed.imports || typeof parsed.imports !== "object" ||
+        Array.isArray(parsed.imports)) {
+        return [];
+    }
+    return Object.keys(parsed.imports);
+}
+function parseWorkspaceConfig(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        const stripped = stripJsonComments(text);
+        return JSON.parse(stripped);
+    }
+}
+function stripJsonComments(text) {
+    let out = "";
+    let inString = false;
+    let escapeNext = false;
+    let inLineComment = false;
+    let inBlockComment = false;
+    for (let i = 0; i < text.length; i++) {
+        const ch = text[i];
+        const next = text[i + 1];
+        if (inLineComment) {
+            if (ch === "\n") {
+                inLineComment = false;
+                out += ch;
+            }
+            continue;
+        }
+        if (inBlockComment) {
+            if (ch === "*" && next === "/") {
+                inBlockComment = false;
+                i++;
+            }
+            continue;
+        }
+        if (inString) {
+            out += ch;
+            if (escapeNext) {
+                escapeNext = false;
+            }
+            else if (ch === "\\") {
+                escapeNext = true;
+            }
+            else if (ch === '"') {
+                inString = false;
+            }
+            continue;
+        }
+        if (ch === '"') {
+            inString = true;
+            out += ch;
+            continue;
+        }
+        if (ch === "/" && next === "/") {
+            inLineComment = true;
+            i++;
+            continue;
+        }
+        if (ch === "/" && next === "*") {
+            inBlockComment = true;
+            i++;
+            continue;
+        }
+        out += ch;
+    }
+    return out;
+}
+function enforceTrustedSchemaImportMapPolicy(deckPath) {
+    if (deckPath.startsWith("gambit://"))
+        return;
+    const configPath = tryReadWorkspaceConfigPath(deckPath);
+    if (!configPath)
+        return;
+    const violations = readWorkspaceImportMapKeys(configPath).filter((key) => isTrustedSchemaImportKey(key));
+    if (violations.length === 0)
+        return;
+    throw new Error(`[gambit] trust-boundary violation: workspace import map at ${configPath} remaps trusted schema namespace (${violations.join(", ")})`);
+}
 async function runDeck(opts) {
     const guardrails = {
         ...constants_js_1.DEFAULT_GUARDRAILS,
@@ -62,34 +363,241 @@ async function runDeck(opts) {
         throw new Error(`Max depth ${guardrails.maxDepth} exceeded`);
     }
     const runId = opts.runId ?? opts.state?.runId ?? randomId("run");
-    const deck = await (0, loader_js_1.loadDeck)(opts.path);
-    const deckGuardrails = deck.guardrails ?? {};
-    const effectiveGuardrails = {
-        ...guardrails,
-        ...deckGuardrails,
-    };
+    enforceTrustedSchemaImportMapPolicy(opts.path);
+    const workerSandboxRequested = opts.workerSandbox ??
+        shouldUseWorkerSandbox();
+    if (workerSandboxRequested && !(0, runtime_worker_host_js_1.isWorkerSandboxHostSupported)()) {
+        throw new runtime_worker_host_js_1.WorkerSandboxUnsupportedHostError();
+    }
+    if (workerSandboxRequested && opts.signal) {
+        throw new WorkerSandboxSignalUnsupportedError();
+    }
+    const workerSandbox = workerSandboxRequested;
     const isRoot = Boolean(inferredRoot);
-    ensureSchemaPresence(deck, isRoot);
-    const resolvedInput = resolveInput({
-        deck,
-        input: opts.input,
-        state: opts.state,
-        isRoot,
-        initialUserMessage: opts.initialUserMessage,
-    });
-    const validatedInput = validateInput(deck, resolvedInput, isRoot, opts.allowRootStringInput ?? false);
     const shouldEmitRun = opts.depth === undefined || opts.depth === 0;
-    if (shouldEmitRun) {
-        opts.trace?.({
-            type: "run.start",
-            runId,
-            deckPath: deck.path,
-            input: validatedInput,
-            initialUserMessage: opts
-                .initialUserMessage,
-        });
-    }
+    let canceled = false;
+    let cancelHandled = false;
+    const handleCancel = async () => {
+        if (cancelHandled)
+            return;
+        cancelHandled = true;
+        if (!opts.onCancel)
+            return;
+        try {
+            await opts.onCancel();
+        }
+        catch (err) {
+            logger.warn(`[gambit] runDeck onCancel callback failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    };
     try {
+        throwIfCanceled(opts.signal);
+        if (workerSandbox) {
+            const preInspectRunDeadlineMs = deadlineForRun(guardrails, opts.runDeadlineMs);
+            ensureRunActive(preInspectRunDeadlineMs, opts.signal);
+            const inspectedDeck = await inspectDeckInWorker(opts.path, preInspectRunDeadlineMs);
+            const deckDir = path.dirname(inspectedDeck.deckPath);
+            const permissions = (0, permissions_js_1.resolveEffectivePermissions)({
+                baseDir: deckDir,
+                parent: opts.parentPermissions,
+                workspace: opts.workspacePermissions
+                    ? {
+                        baseDir: opts.workspacePermissionsBaseDir ?? deckDir,
+                        permissions: opts.workspacePermissions,
+                    }
+                    : undefined,
+                declaration: inspectedDeck.permissions
+                    ? { baseDir: deckDir, permissions: inspectedDeck.permissions }
+                    : undefined,
+                reference: opts.referencePermissions
+                    ? {
+                        baseDir: opts.referencePermissionsBaseDir ?? deckDir,
+                        permissions: opts.referencePermissions,
+                    }
+                    : undefined,
+                session: opts.sessionPermissions
+                    ? {
+                        baseDir: opts.sessionPermissionsBaseDir ?? dntShim.Deno.cwd(),
+                        permissions: opts.sessionPermissions,
+                    }
+                    : undefined,
+            });
+            const effectiveGuardrails = {
+                ...guardrails,
+                ...(inspectedDeck.guardrails ?? {}),
+            };
+            const runDeadlineMs = deadlineForRun(effectiveGuardrails, opts.runDeadlineMs);
+            ensureRunActive(runDeadlineMs, opts.signal);
+            const resolvedInput = resolveInputWithoutDeck({
+                input: opts.input,
+                state: opts.state,
+                isRoot,
+                initialUserMessage: opts.initialUserMessage,
+            });
+            if (!inspectedDeck.hasModelParams) {
+                if (shouldEmitRun) {
+                    opts.trace?.({
+                        type: "run.start",
+                        runId,
+                        deckPath: inspectedDeck.deckPath,
+                        input: resolvedInput,
+                        initialUserMessage: opts
+                            .initialUserMessage,
+                        permissions: permissions.trace,
+                    });
+                }
+                return await runComputeDeckInWorker({
+                    deckPath: inspectedDeck.deckPath,
+                    guardrails: effectiveGuardrails,
+                    depth,
+                    runId,
+                    initialUserMessage: opts.initialUserMessage,
+                    parentActionCallId: opts.parentActionCallId,
+                    modelProvider: opts.modelProvider,
+                    input: resolvedInput,
+                    defaultModel: opts.defaultModel,
+                    modelOverride: opts.modelOverride,
+                    trace: opts.trace,
+                    stream: opts.stream,
+                    state: opts.state,
+                    onStateUpdate: opts.onStateUpdate,
+                    onStreamText: opts.onStreamText,
+                    responsesMode: opts.responsesMode,
+                    permissions: permissions.effective,
+                    permissionsTrace: permissions.trace,
+                    workspacePermissions: opts.workspacePermissions,
+                    workspacePermissionsBaseDir: opts.workspacePermissionsBaseDir,
+                    sessionPermissions: opts.sessionPermissions,
+                    sessionPermissionsBaseDir: opts.sessionPermissionsBaseDir,
+                    runDeadlineMs,
+                    isRoot,
+                    allowRootStringInput: opts.allowRootStringInput ?? false,
+                    signal: opts.signal,
+                });
+            }
+            if (!opts.inOrchestrationWorker) {
+                return await runLlmDeckInWorker({
+                    deckPath: inspectedDeck.deckPath,
+                    guardrails: effectiveGuardrails,
+                    depth,
+                    runId,
+                    parentActionCallId: opts.parentActionCallId,
+                    modelProvider: opts.modelProvider,
+                    input: resolvedInput,
+                    inputProvided: opts.inputProvided ?? true,
+                    initialUserMessage: opts.initialUserMessage,
+                    defaultModel: opts.defaultModel,
+                    modelOverride: opts.modelOverride,
+                    trace: opts.trace,
+                    stream: opts.stream,
+                    state: opts.state,
+                    onStateUpdate: opts.onStateUpdate,
+                    onStreamText: opts.onStreamText,
+                    responsesMode: opts.responsesMode,
+                    permissions: permissions.effective,
+                    permissionsTrace: permissions.trace,
+                    workspacePermissions: opts.workspacePermissions,
+                    workspacePermissionsBaseDir: opts.workspacePermissionsBaseDir,
+                    sessionPermissions: opts.sessionPermissions,
+                    sessionPermissionsBaseDir: opts.sessionPermissionsBaseDir,
+                    runDeadlineMs,
+                    workerSandbox,
+                    allowRootStringInput: opts.allowRootStringInput,
+                    isRoot,
+                    signal: opts.signal,
+                });
+            }
+        }
+        const deck = await (0, loader_js_1.loadDeck)(opts.path);
+        const permissions = (0, permissions_js_1.resolveEffectivePermissions)({
+            baseDir: path.dirname(deck.path),
+            parent: opts.parentPermissions,
+            workspace: opts.workspacePermissions
+                ? {
+                    baseDir: opts.workspacePermissionsBaseDir ?? path.dirname(deck.path),
+                    permissions: opts.workspacePermissions,
+                }
+                : undefined,
+            declaration: deck.permissions
+                ? { baseDir: path.dirname(deck.path), permissions: deck.permissions }
+                : undefined,
+            reference: opts.referencePermissions
+                ? {
+                    baseDir: opts.referencePermissionsBaseDir ?? path.dirname(deck.path),
+                    permissions: opts.referencePermissions,
+                }
+                : undefined,
+            session: opts.sessionPermissions
+                ? {
+                    baseDir: opts.sessionPermissionsBaseDir ?? dntShim.Deno.cwd(),
+                    permissions: opts.sessionPermissions,
+                }
+                : undefined,
+        });
+        const deckGuardrails = deck.guardrails ?? {};
+        const effectiveGuardrails = {
+            ...guardrails,
+            ...deckGuardrails,
+        };
+        const runDeadlineMs = deadlineForRun(effectiveGuardrails, opts.runDeadlineMs);
+        ensureRunActive(runDeadlineMs, opts.signal);
+        ensureSchemaPresence(deck, isRoot);
+        const resolvedInput = resolveInput({
+            deck,
+            input: opts.input,
+            state: opts.state,
+            isRoot,
+            initialUserMessage: opts.initialUserMessage,
+        });
+        const validatedInput = validateInput(deck, resolvedInput, isRoot, opts.allowRootStringInput ?? false);
+        const useOrchestrationWorker = workerSandbox &&
+            !opts.inOrchestrationWorker &&
+            isRoot &&
+            !opts.onTool &&
+            Boolean(deck.modelParams?.model || deck.modelParams?.temperature !== undefined);
+        if (useOrchestrationWorker) {
+            return await runLlmDeckInWorker({
+                deckPath: deck.path,
+                guardrails: effectiveGuardrails,
+                depth,
+                runId,
+                parentActionCallId: opts.parentActionCallId,
+                modelProvider: opts.modelProvider,
+                input: validatedInput,
+                inputProvided: opts.inputProvided ?? true,
+                initialUserMessage: opts.initialUserMessage,
+                defaultModel: opts.defaultModel,
+                modelOverride: opts.modelOverride,
+                trace: opts.trace,
+                stream: opts.stream,
+                state: opts.state,
+                onStateUpdate: opts.onStateUpdate,
+                onStreamText: opts.onStreamText,
+                responsesMode: opts.responsesMode,
+                permissions: permissions.effective,
+                permissionsTrace: permissions.trace,
+                workspacePermissions: opts.workspacePermissions,
+                workspacePermissionsBaseDir: opts.workspacePermissionsBaseDir,
+                sessionPermissions: opts.sessionPermissions,
+                sessionPermissionsBaseDir: opts.sessionPermissionsBaseDir,
+                runDeadlineMs,
+                workerSandbox,
+                allowRootStringInput: opts.allowRootStringInput,
+                isRoot,
+                signal: opts.signal,
+            });
+        }
+        if (shouldEmitRun) {
+            opts.trace?.({
+                type: "run.start",
+                runId,
+                deckPath: deck.path,
+                input: validatedInput,
+                initialUserMessage: opts
+                    .initialUserMessage,
+                permissions: permissions.trace,
+            });
+        }
         if (deck.modelParams?.model || deck.modelParams?.temperature !== undefined) {
             return await runLlmDeck({
                 deck,
@@ -108,6 +616,17 @@ async function runDeck(opts) {
                 state: opts.state,
                 onStateUpdate: opts.onStateUpdate,
                 onStreamText: opts.onStreamText,
+                responsesMode: opts.responsesMode,
+                permissions: permissions.effective,
+                permissionsTrace: permissions.trace,
+                workspacePermissions: opts.workspacePermissions,
+                workspacePermissionsBaseDir: opts.workspacePermissionsBaseDir,
+                sessionPermissions: opts.sessionPermissions,
+                sessionPermissionsBaseDir: opts.sessionPermissionsBaseDir,
+                runDeadlineMs,
+                workerSandbox,
+                onTool: opts.onTool,
+                signal: opts.signal,
             });
         }
         if (!deck.executor) {
@@ -118,6 +637,7 @@ async function runDeck(opts) {
             guardrails: effectiveGuardrails,
             depth,
             runId,
+            initialUserMessage: opts.initialUserMessage,
             parentActionCallId: opts.parentActionCallId,
             modelProvider: opts.modelProvider,
             input: validatedInput,
@@ -125,19 +645,42 @@ async function runDeck(opts) {
             modelOverride: opts.modelOverride,
             trace: opts.trace,
             stream: opts.stream,
+            state: opts.state,
+            onStateUpdate: opts.onStateUpdate,
             onStreamText: opts.onStreamText,
+            responsesMode: opts.responsesMode,
+            permissions: permissions.effective,
+            permissionsTrace: permissions.trace,
+            workspacePermissions: opts.workspacePermissions,
+            workspacePermissionsBaseDir: opts.workspacePermissionsBaseDir,
+            sessionPermissions: opts.sessionPermissions,
+            sessionPermissionsBaseDir: opts.sessionPermissionsBaseDir,
+            runDeadlineMs,
+            workerSandbox,
+            onTool: opts.onTool,
+            signal: opts.signal,
         });
     }
+    catch (err) {
+        if (isRunCanceledError(err)) {
+            canceled = true;
+            await handleCancel();
+        }
+        throw err;
+    }
     finally {
         if (shouldEmitRun) {
             opts.trace?.({ type: "run.end", runId });
         }
+        if (opts.signal?.aborted && !canceled) {
+            await handleCancel();
+        }
     }
 }
 function toProviderParams(params) {
     if (!params)
         return undefined;
-    const { model: _model, temperature, top_p, frequency_penalty, presence_penalty, max_tokens, } = params;
+    const { model: _model, temperature, top_p, frequency_penalty, presence_penalty, max_tokens, verbosity, reasoning, } = params;
     const out = {};
     if (temperature !== undefined)
         out.temperature = temperature;
@@ -150,15 +693,51 @@ function toProviderParams(params) {
         out.presence_penalty = presence_penalty;
     if (max_tokens !== undefined)
         out.max_tokens = max_tokens;
+    if (verbosity !== undefined)
+        out.verbosity = verbosity;
+    if (reasoning !== undefined)
+        out.reasoning = reasoning;
     return Object.keys(out).length ? out : undefined;
 }
+async function resolveModelChoice(args) {
+    const resolver = args.modelProvider.resolveModel;
+    if (resolver) {
+        return await resolver({
+            model: args.model,
+            params: args.params,
+            deckPath: args.deckPath,
+        });
+    }
+    if (Array.isArray(args.model)) {
+        const first = args.model.find((entry) => typeof entry === "string" && entry.trim().length > 0);
+        if (!first) {
+            throw new Error(`No model configured for deck ${args.deckPath}`);
+        }
+        return { model: first, params: args.params };
+    }
+    if (!args.model || !args.model.trim()) {
+        throw new Error(`No model configured for deck ${args.deckPath}`);
+    }
+    return { model: args.model, params: args.params };
+}
+function resolveContextSchema(deck) {
+    return deck.contextSchema ?? deck.inputSchema;
+}
+function resolveResponseSchema(deck) {
+    return deck.responseSchema ?? deck.outputSchema;
+}
+function isContextToolName(name) {
+    return name === constants_js_1.GAMBIT_TOOL_CONTEXT || name === constants_js_1.GAMBIT_TOOL_INIT;
+}
 function ensureSchemaPresence(deck, isRoot) {
     if (!isRoot) {
-        if (!deck.inputSchema || !deck.outputSchema) {
-            throw new Error(`Deck ${deck.path} must declare inputSchema and outputSchema (non-root)`);
+        const contextSchema = resolveContextSchema(deck);
+        const responseSchema = resolveResponseSchema(deck);
+        if (!contextSchema || !responseSchema) {
+            throw new Error(`Deck ${deck.path} must declare contextSchema and responseSchema (non-root)`);
         }
-        (0, schema_js_1.assertZodSchema)(deck.inputSchema, "inputSchema");
-        (0, schema_js_1.assertZodSchema)(deck.outputSchema, "outputSchema");
+        (0, schema_js_1.assertZodSchema)(contextSchema, "contextSchema");
+        (0, schema_js_1.assertZodSchema)(responseSchema, "responseSchema");
     }
 }
 function resolveInput(args) {
@@ -166,11 +745,11 @@ function resolveInput(args) {
         return args.input;
     if (!args.isRoot)
         return args.input;
-    const persisted = extractInitInput(args.state);
+    const persisted = extractContextInput(args.state);
     if (persisted !== undefined)
         return persisted;
     if (args.initialUserMessage !== undefined) {
-        const schema = args.deck.inputSchema;
+        const schema = resolveContextSchema(args.deck);
         if (schema?.safeParse) {
             const candidates = [undefined, {}, ""];
             for (const candidate of candidates) {
@@ -188,12 +767,30 @@ function resolveInput(args) {
     }
     return args.input;
 }
-function extractInitInput(state) {
-    if (!state?.messages)
+function resolveInputWithoutDeck(args) {
+    if (args.input !== undefined)
+        return args.input;
+    if (!args.isRoot)
+        return args.input;
+    const persisted = extractContextInput(args.state);
+    if (persisted !== undefined)
+        return persisted;
+    if (args.initialUserMessage !== undefined) {
+        return "";
+    }
+    return args.input;
+}
+function extractContextInput(state) {
+    if (!state)
+        return undefined;
+    if (state.format === "responses" && Array.isArray(state.items)) {
+        return extractContextInputFromItems(state.items);
+    }
+    if (!state.messages)
         return undefined;
     for (let i = state.messages.length - 1; i >= 0; i--) {
         const msg = state.messages[i];
-        if (msg.role === "tool" && msg.name === constants_js_1.GAMBIT_TOOL_INIT) {
+        if (msg.role === "tool" && isContextToolName(msg.name ?? "")) {
             const content = msg.content;
             if (typeof content !== "string")
                 return undefined;
@@ -207,17 +804,244 @@ function extractInitInput(state) {
     }
     return undefined;
 }
+function extractContextInputFromItems(items) {
+    const contextToolNames = new Set([constants_js_1.GAMBIT_TOOL_CONTEXT, constants_js_1.GAMBIT_TOOL_INIT]);
+    const callNameById = new Map();
+    for (const item of items) {
+        if (item.type === "function_call") {
+            callNameById.set(item.call_id, item.name);
+        }
+    }
+    for (let i = items.length - 1; i >= 0; i--) {
+        const item = items[i];
+        if (item.type !== "function_call_output")
+            continue;
+        const name = callNameById.get(item.call_id);
+        if (!name || !contextToolNames.has(name))
+            continue;
+        try {
+            return JSON.parse(item.output);
+        }
+        catch {
+            return item.output;
+        }
+    }
+    return undefined;
+}
+function messagesFromResponseItems(items) {
+    const messages = [];
+    const callNameById = new Map();
+    for (const item of items) {
+        if (item.type === "message") {
+            const text = item.content.map((part) => part.text).join("");
+            messages.push({
+                role: item.role,
+                content: text || null,
+            });
+            continue;
+        }
+        if (item.type === "function_call") {
+            callNameById.set(item.call_id, item.name);
+            messages.push({
+                role: "assistant",
+                content: null,
+                tool_calls: [{
+                        id: item.call_id,
+                        type: "function",
+                        function: { name: item.name, arguments: item.arguments },
+                    }],
+            });
+            continue;
+        }
+        if (item.type === "function_call_output") {
+            messages.push({
+                role: "tool",
+                name: callNameById.get(item.call_id),
+                tool_call_id: item.call_id,
+                content: item.output,
+            });
+        }
+    }
+    return messages;
+}
+function responseItemsFromMessages(messages) {
+    const items = [];
+    for (const message of messages) {
+        if (message.role === "tool") {
+            if (!message.tool_call_id || message.content === null)
+                continue;
+            items.push({
+                type: "function_call_output",
+                call_id: message.tool_call_id,
+                output: String(message.content),
+            });
+            continue;
+        }
+        const contentText = message.content ?? "";
+        if (typeof contentText === "string" && contentText.length > 0) {
+            items.push({
+                type: "message",
+                role: message.role,
+                content: [{
+                        type: message.role === "assistant" ? "output_text" : "input_text",
+                        text: contentText,
+                    }],
+            });
+        }
+        if (message.role === "assistant" && message.tool_calls) {
+            for (const call of message.tool_calls) {
+                items.push({
+                    type: "function_call",
+                    call_id: call.id,
+                    name: call.function.name,
+                    arguments: call.function.arguments,
+                });
+            }
+        }
+    }
+    return items;
+}
+function safeJsonArgs(value) {
+    if (!value)
+        return {};
+    try {
+        const parsed = JSON.parse(value);
+        if (parsed && typeof parsed === "object") {
+            return parsed;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return {};
+}
+function asToolKind(value, fallback) {
+    if (value === "action" || value === "external" || value === "mcp_bridge" ||
+        value === "internal") {
+        return value;
+    }
+    return fallback;
+}
+function projectStreamToolTraceEvents(input) {
+    if (!input.trace)
+        return;
+    const type = typeof input.streamEvent.type === "string"
+        ? input.streamEvent.type
+        : "";
+    if (type !== "tool.call" && type !== "tool.result")
+        return;
+    const actionCallId = typeof input.streamEvent.actionCallId === "string"
+        ? input.streamEvent.actionCallId
+        : "";
+    const name = typeof input.streamEvent.name === "string"
+        ? input.streamEvent.name
+        : input.toolNames.get(actionCallId) ?? "";
+    if (!actionCallId || !name)
+        return;
+    if (type === "tool.call") {
+        if (input.emittedCalls.has(actionCallId))
+            return;
+        input.emittedCalls.add(actionCallId);
+        input.toolNames.set(actionCallId, name);
+        const args = "args" in input.streamEvent
+            ? (input.streamEvent.args ?? {})
+            : {};
+        const toolKind = asToolKind(input.streamEvent.toolKind, "mcp_bridge");
+        input.trace({
+            type: "tool.call",
+            runId: input.runId,
+            actionCallId,
+            name,
+            args,
+            toolKind,
+            parentActionCallId: input.parentActionCallId,
+        });
+        return;
+    }
+    if (input.emittedResults.has(actionCallId))
+        return;
+    input.emittedResults.add(actionCallId);
+    const result = "result" in input.streamEvent
+        ? (input.streamEvent.result ?? null)
+        : null;
+    const toolKind = asToolKind(input.streamEvent.toolKind, "mcp_bridge");
+    input.trace({
+        type: "tool.result",
+        runId: input.runId,
+        actionCallId,
+        name,
+        result,
+        toolKind,
+        parentActionCallId: input.parentActionCallId,
+    });
+}
+function traceOpenResponsesStreamEvent(input) {
+    if (!input.trace)
+        return false;
+    const type = typeof input.streamEvent.type === "string"
+        ? input.streamEvent.type
+        : "";
+    if (!type.startsWith("response."))
+        return false;
+    const rawMeta = input.streamEvent._gambit;
+    const existingMeta = rawMeta && typeof rawMeta === "object" &&
+        !Array.isArray(rawMeta)
+        ? rawMeta
+        : {};
+    input.trace({
+        ...input.streamEvent,
+        type,
+        _gambit: {
+            ...existingMeta,
+            run_id: input.runId,
+            action_call_id: input.actionCallId,
+            parent_action_call_id: input.parentActionCallId,
+            deck_path: input.deckPath,
+            model: input.model,
+        },
+    });
+    return true;
+}
+function mapResponseOutput(output) {
+    const toolCalls = [];
+    const textParts = [];
+    for (const item of output) {
+        if (item.type === "function_call") {
+            toolCalls.push({
+                id: item.call_id,
+                name: item.name,
+                args: safeJsonArgs(item.arguments),
+            });
+            continue;
+        }
+        if (item.type === "message" && item.role === "assistant") {
+            for (const part of item.content) {
+                if (part.type === "output_text") {
+                    textParts.push(part.text);
+                }
+            }
+        }
+    }
+    return {
+        message: {
+            role: "assistant",
+            content: textParts.length ? textParts.join("") : null,
+        },
+        toolCalls: toolCalls.length ? toolCalls : undefined,
+    };
+}
 function validateInput(deck, input, isRoot, allowRootStringInput) {
-    if (deck.inputSchema) {
+    const contextSchema = resolveContextSchema(deck);
+    if (contextSchema) {
         if (isRoot && typeof input === "string" && allowRootStringInput) {
             try {
-                return (0, schema_js_1.validateWithSchema)(deck.inputSchema, input);
+                return (0, schema_js_1.validateWithSchema)(contextSchema, input);
             }
             catch {
                 return input;
             }
         }
-        return (0, schema_js_1.validateWithSchema)(deck.inputSchema, input);
+        return (0, schema_js_1.validateWithSchema)(contextSchema, input);
     }
     if (isRoot) {
         if (input === undefined)
@@ -226,28 +1050,1209 @@ function validateInput(deck, input, isRoot, allowRootStringInput) {
             return input;
         return input;
     }
-    throw new Error(`Deck ${deck.path} requires inputSchema (non-root)`);
+    throw new Error(`Deck ${deck.path} requires contextSchema (non-root)`);
 }
 function validateOutput(deck, output, isRoot) {
-    if (deck.outputSchema) {
-        return (0, schema_js_1.validateWithSchema)(deck.outputSchema, output);
+    const responseSchema = resolveResponseSchema(deck);
+    if (responseSchema) {
+        return (0, schema_js_1.validateWithSchema)(responseSchema, output);
+    }
+    if (isRoot) {
+        if (typeof output === "string")
+            return output;
+        return JSON.stringify(output);
+    }
+    throw new Error(`Deck ${deck.path} requires responseSchema (non-root)`);
+}
+async function runComputeDeck(ctx) {
+    if (ctx.workerSandbox) {
+        return await runComputeDeckInWorker({
+            guardrails: ctx.guardrails,
+            depth: ctx.depth,
+            runId: ctx.runId,
+            inputProvided: ctx.inputProvided,
+            initialUserMessage: ctx.initialUserMessage,
+            parentActionCallId: ctx.parentActionCallId,
+            modelProvider: ctx.modelProvider,
+            input: ctx.input,
+            defaultModel: ctx.defaultModel,
+            modelOverride: ctx.modelOverride,
+            trace: ctx.trace,
+            stream: ctx.stream,
+            state: ctx.state,
+            onStateUpdate: ctx.onStateUpdate,
+            onStreamText: ctx.onStreamText,
+            responsesMode: ctx.responsesMode,
+            permissions: ctx.permissions,
+            permissionsTrace: ctx.permissionsTrace,
+            workspacePermissions: ctx.workspacePermissions,
+            workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+            sessionPermissions: ctx.sessionPermissions,
+            sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+            runDeadlineMs: ctx.runDeadlineMs,
+            deckPath: ctx.deck.path,
+            isRoot: ctx.depth === 0 && !ctx.parentActionCallId,
+            allowRootStringInput: false,
+            signal: ctx.signal,
+        });
+    }
+    return await runComputeDeckInProcess(ctx);
+}
+function toDenoPermissionList(scope) {
+    if (scope.all)
+        return true;
+    if (scope.values.size === 0)
+        return false;
+    return Array.from(scope.values).sort();
+}
+function toDenoRunPermission(scope) {
+    if (scope.all)
+        return true;
+    const values = new Set([
+        ...Array.from(scope.paths),
+        ...Array.from(scope.commands),
+    ]);
+    if (values.size === 0)
+        return false;
+    return Array.from(values).sort();
+}
+const IMPORT_SOURCE_EXTENSIONS = new Set([
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+]);
+const RESOLVABLE_MODULE_EXTENSIONS = [
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".json",
+];
+function stripSpecifierSuffix(specifier) {
+    let out = specifier;
+    const q = out.indexOf("?");
+    if (q >= 0)
+        out = out.slice(0, q);
+    const h = out.indexOf("#");
+    if (h >= 0)
+        out = out.slice(0, h);
+    return out.trim();
+}
+function isIdentifierStart(ch) {
+    return /[A-Za-z_$]/.test(ch);
+}
+function isIdentifierContinue(ch) {
+    return /[A-Za-z0-9_$]/.test(ch);
+}
+function skipWhitespaceAndComments(source, start) {
+    let i = start;
+    while (i < source.length) {
+        const ch = source[i];
+        if (/\s/.test(ch)) {
+            i++;
+            continue;
+        }
+        if (ch === "/" && source[i + 1] === "/") {
+            i += 2;
+            while (i < source.length && source[i] !== "\n" && source[i] !== "\r") {
+                i++;
+            }
+            continue;
+        }
+        if (ch === "/" && source[i + 1] === "*") {
+            i += 2;
+            while (i < source.length) {
+                if (source[i] === "*" && source[i + 1] === "/") {
+                    i += 2;
+                    break;
+                }
+                i++;
+            }
+            continue;
+        }
+        break;
+    }
+    return i;
+}
+function readIdentifier(source, start) {
+    if (start >= source.length)
+        return undefined;
+    if (!isIdentifierStart(source[start]))
+        return undefined;
+    let i = start + 1;
+    while (i < source.length && isIdentifierContinue(source[i]))
+        i++;
+    return { value: source.slice(start, i), end: i };
+}
+function readStringLiteral(source, start) {
+    const quote = source[start];
+    if (quote !== "'" && quote !== '"')
+        return undefined;
+    let i = start + 1;
+    let value = "";
+    while (i < source.length) {
+        const ch = source[i];
+        if (ch === "\\") {
+            if (i + 1 >= source.length)
+                return undefined;
+            value += source[i + 1];
+            i += 2;
+            continue;
+        }
+        if (ch === quote)
+            return { value, end: i + 1 };
+        if (ch === "\n" || ch === "\r")
+            return undefined;
+        value += ch;
+        i++;
+    }
+    return undefined;
+}
+function skipTemplateExpression(source, start) {
+    let i = start;
+    let depth = 1;
+    while (i < source.length && depth > 0) {
+        i = skipWhitespaceAndComments(source, i);
+        if (i >= source.length)
+            break;
+        const ch = source[i];
+        if (ch === "'" || ch === '"') {
+            const stringLiteral = readStringLiteral(source, i);
+            i = stringLiteral ? stringLiteral.end : i + 1;
+            continue;
+        }
+        if (ch === "`") {
+            i = skipTemplateLiteral(source, i);
+            continue;
+        }
+        if (ch === "{") {
+            depth++;
+            i++;
+            continue;
+        }
+        if (ch === "}") {
+            depth--;
+            i++;
+            continue;
+        }
+        i++;
+    }
+    return i;
+}
+function skipTemplateLiteral(source, start) {
+    let i = start + 1;
+    while (i < source.length) {
+        const ch = source[i];
+        if (ch === "\\") {
+            i += 2;
+            continue;
+        }
+        if (ch === "`")
+            return i + 1;
+        if (ch === "$" && source[i + 1] === "{") {
+            i = skipTemplateExpression(source, i + 2);
+            continue;
+        }
+        i++;
+    }
+    return i;
+}
+function readSpecifierAfterFrom(source, start) {
+    const i = skipWhitespaceAndComments(source, start);
+    const stringLiteral = readStringLiteral(source, i);
+    if (!stringLiteral)
+        return { end: i };
+    return { specifier: stringLiteral.value, end: stringLiteral.end };
+}
+function readImportCallSpecifier(source, start) {
+    let i = skipWhitespaceAndComments(source, start);
+    if (source[i] !== "(")
+        return { end: i };
+    i = skipWhitespaceAndComments(source, i + 1);
+    const stringLiteral = readStringLiteral(source, i);
+    if (!stringLiteral)
+        return { end: i };
+    i = skipWhitespaceAndComments(source, stringLiteral.end);
+    if (source[i] === ")")
+        i++;
+    return { specifier: stringLiteral.value, end: i };
+}
+function readImportOrExportStatementSpecifier(source, start, keyword) {
+    let i = skipWhitespaceAndComments(source, start);
+    if (keyword === "import") {
+        if (source[i] === ".")
+            return { end: i + 1 }; // import.meta
+        const sideEffectImport = readStringLiteral(source, i);
+        if (sideEffectImport) {
+            return { specifier: sideEffectImport.value, end: sideEffectImport.end };
+        }
+    }
+    let depth = 0;
+    while (i < source.length) {
+        i = skipWhitespaceAndComments(source, i);
+        if (i >= source.length)
+            break;
+        const ch = source[i];
+        if (ch === "'" || ch === '"') {
+            const stringLiteral = readStringLiteral(source, i);
+            i = stringLiteral ? stringLiteral.end : i + 1;
+            continue;
+        }
+        if (ch === "`") {
+            i = skipTemplateLiteral(source, i);
+            continue;
+        }
+        if (ch === "(" || ch === "[" || ch === "{") {
+            depth++;
+            i++;
+            continue;
+        }
+        if (ch === ")" || ch === "]" || ch === "}") {
+            if (depth > 0)
+                depth--;
+            i++;
+            continue;
+        }
+        if (depth === 0) {
+            if (ch === ";")
+                return { end: i + 1 };
+            const identifier = readIdentifier(source, i);
+            if (identifier?.value === "from") {
+                return readSpecifierAfterFrom(source, identifier.end);
+            }
+            if (identifier) {
+                i = identifier.end;
+                continue;
+            }
+        }
+        i++;
+    }
+    return { end: i };
+}
+function extractModuleSpecifiers(source) {
+    const out = new Set();
+    let i = 0;
+    while (i < source.length) {
+        i = skipWhitespaceAndComments(source, i);
+        if (i >= source.length)
+            break;
+        const ch = source[i];
+        if (ch === "'" || ch === '"') {
+            const stringLiteral = readStringLiteral(source, i);
+            i = stringLiteral ? stringLiteral.end : i + 1;
+            continue;
+        }
+        if (ch === "`") {
+            i = skipTemplateLiteral(source, i);
+            continue;
+        }
+        const identifier = readIdentifier(source, i);
+        if (!identifier) {
+            i++;
+            continue;
+        }
+        if (identifier.value === "import") {
+            const afterImport = skipWhitespaceAndComments(source, identifier.end);
+            if (source[afterImport] === "(") {
+                const result = readImportCallSpecifier(source, afterImport);
+                if (result.specifier)
+                    out.add(result.specifier);
+                i = Math.max(result.end, afterImport + 1);
+                continue;
+            }
+            const result = readImportOrExportStatementSpecifier(source, identifier.end, "import");
+            if (result.specifier)
+                out.add(result.specifier);
+            i = Math.max(result.end, identifier.end);
+            continue;
+        }
+        if (identifier.value === "export") {
+            const result = readImportOrExportStatementSpecifier(source, identifier.end, "export");
+            if (result.specifier)
+                out.add(result.specifier);
+            i = Math.max(result.end, identifier.end);
+            continue;
+        }
+        i = identifier.end;
+    }
+    return out;
+}
+function resolveExistingModulePath(candidate) {
+    const resolved = path.resolve(candidate);
+    const candidates = new Set([resolved]);
+    if (!path.extname(resolved)) {
+        for (const ext of RESOLVABLE_MODULE_EXTENSIONS) {
+            candidates.add(`${resolved}${ext}`);
+            candidates.add(path.join(resolved, `index${ext}`));
+        }
+    }
+    for (const filePath of candidates) {
+        try {
+            if (dntShim.Deno.statSync(filePath).isFile) {
+                return path.resolve(filePath);
+            }
+        }
+        catch {
+            // ignore unresolved module candidates
+        }
+    }
+    return undefined;
+}
+function resolveLocalImportPath(importerPath, specifier) {
+    const cleaned = stripSpecifierSuffix(specifier);
+    if (!cleaned)
+        return undefined;
+    if (cleaned.startsWith("file://")) {
+        try {
+            return resolveExistingModulePath(path.fromFileUrl(cleaned));
+        }
+        catch {
+            return undefined;
+        }
+    }
+    if (!(cleaned.startsWith("./") || cleaned.startsWith("../") ||
+        path.isAbsolute(cleaned))) {
+        return undefined;
+    }
+    const base = path.isAbsolute(cleaned)
+        ? cleaned
+        : path.resolve(path.dirname(importerPath), cleaned);
+    return resolveExistingModulePath(base);
+}
+function collectLocalImportGraph(entryPath) {
+    const visited = new Set();
+    const queue = [path.resolve(entryPath)];
+    while (queue.length > 0) {
+        const current = queue.pop();
+        if (visited.has(current))
+            continue;
+        visited.add(current);
+        const ext = path.extname(current).toLowerCase();
+        if (!IMPORT_SOURCE_EXTENSIONS.has(ext)) {
+            continue;
+        }
+        let source;
+        try {
+            source = dntShim.Deno.readTextFileSync(current);
+        }
+        catch {
+            continue;
+        }
+        const specifiers = extractModuleSpecifiers(source);
+        for (const specifier of specifiers) {
+            const resolved = resolveLocalImportPath(current, specifier);
+            if (resolved && !visited.has(resolved)) {
+                queue.push(resolved);
+            }
+        }
+    }
+    return visited;
+}
+const WORKER_ENTRY_PATHS = [
+    "./runtime_worker.ts",
+    "./runtime_orchestration_worker.ts",
+].map((relative) => path.fromFileUrl(new URL(relative, globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url)));
+const BUILTIN_SCHEMAS_DIR = path.resolve(path.dirname(path.fromFileUrl(globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url)), "../schemas");
+const BUILTIN_SNIPPETS_DIR = path.resolve(path.dirname(path.fromFileUrl(globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url)), "../snippets");
+let builtinSchemaBootstrapCache;
+function builtinSchemaBootstrapReads() {
+    if (builtinSchemaBootstrapCache)
+        return builtinSchemaBootstrapCache;
+    const schemaModules = [];
+    const stack = [BUILTIN_SCHEMAS_DIR];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        let entries = [];
+        try {
+            entries = Array.from(dntShim.Deno.readDirSync(current));
+        }
+        catch {
+            continue;
+        }
+        for (const entry of entries) {
+            const target = path.join(current, entry.name);
+            if (entry.isDirectory) {
+                stack.push(target);
+                continue;
+            }
+            if (!entry.isFile)
+                continue;
+            const ext = path.extname(entry.name).toLowerCase();
+            if (ext !== ".ts")
+                continue;
+            schemaModules.push(target);
+        }
+    }
+    builtinSchemaBootstrapCache = Array.from(new Set(schemaModules.flatMap((entry) => Array.from(collectLocalImportGraph(entry))))).sort();
+    return builtinSchemaBootstrapCache;
+}
+let builtinSnippetBootstrapCache;
+function builtinSnippetBootstrapReads() {
+    if (builtinSnippetBootstrapCache)
+        return builtinSnippetBootstrapCache;
+    const snippetFiles = [];
+    const stack = [BUILTIN_SNIPPETS_DIR];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        let entries = [];
+        try {
+            entries = Array.from(dntShim.Deno.readDirSync(current));
+        }
+        catch {
+            continue;
+        }
+        for (const entry of entries) {
+            const target = path.join(current, entry.name);
+            if (entry.isDirectory) {
+                stack.push(target);
+                continue;
+            }
+            if (!entry.isFile)
+                continue;
+            const ext = path.extname(entry.name).toLowerCase();
+            if (ext !== ".md")
+                continue;
+            snippetFiles.push(target);
+        }
+    }
+    builtinSnippetBootstrapCache = Array.from(new Set(snippetFiles)).sort();
+    return builtinSnippetBootstrapCache;
+}
+function workerBootstrapReadAllowlist(deckPath) {
+    return Array.from(new Set([
+        ...Array.from(collectLocalImportGraph(deckPath)),
+        ...WORKER_ENTRY_PATHS.flatMap((entry) => Array.from(collectLocalImportGraph(entry))),
+        ...builtinSchemaBootstrapReads(),
+        ...builtinSnippetBootstrapReads(),
+    ])).sort();
+}
+let trustedWorkerBootstrapCache;
+function trustedWorkerBootstrapReads() {
+    if (trustedWorkerBootstrapCache)
+        return trustedWorkerBootstrapCache;
+    const definitionsPath = path.fromFileUrl(new URL("./definitions.ts", globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url));
+    const modPath = path.fromFileUrl(new URL("../mod.ts", globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url));
+    trustedWorkerBootstrapCache = Array.from(new Set([
+        ...WORKER_ENTRY_PATHS.flatMap((entry) => Array.from(collectLocalImportGraph(entry))),
+        ...Array.from(collectLocalImportGraph(definitionsPath)),
+        ...Array.from(collectLocalImportGraph(modPath)),
+        ...builtinSchemaBootstrapReads(),
+        ...builtinSnippetBootstrapReads(),
+    ])).sort();
+    return trustedWorkerBootstrapCache;
+}
+function pathMatchesPermissionRoot(root, target) {
+    if (root === target)
+        return true;
+    const rel = path.relative(root, target);
+    return rel.length > 0 && !rel.startsWith("..") && !path.isAbsolute(rel);
+}
+function constrainBootstrapReads(permissions, roots, trustedReads, reads) {
+    const allowedRoots = [
+        ...roots.map((entry) => path.resolve(entry)),
+        ...Array.from(permissions.read.values).map((entry) => path.resolve(permissions.baseDir, entry)),
+    ];
+    if (permissions.read.all) {
+        return Array.from(new Set(reads)).sort();
+    }
+    if (allowedRoots.length === 0)
+        return [];
+    return reads.filter((entry) => {
+        const target = path.resolve(permissions.baseDir, entry);
+        if (trustedReads.has(target))
+            return true;
+        return allowedRoots.some((root) => pathMatchesPermissionRoot(root, target));
+    });
+}
+function buildWorkerPermissions(permissions, deckPath) {
+    const workerDirs = WORKER_ENTRY_PATHS.map((entry) => path.dirname(entry));
+    const bootstrapReads = constrainBootstrapReads(permissions, [path.dirname(deckPath), ...workerDirs], new Set(trustedWorkerBootstrapReads()), workerBootstrapReadAllowlist(deckPath));
+    const mergedRead = permissions.read.all ? true : Array.from(new Set([
+        ...Array.from(permissions.read.values),
+        ...bootstrapReads,
+    ])).sort();
+    return {
+        permissions: {
+            read: mergedRead === true
+                ? true
+                : mergedRead.length > 0
+                    ? mergedRead
+                    : false,
+            write: toDenoPermissionList(permissions.write),
+            run: toDenoRunPermission(permissions.run),
+            net: toDenoPermissionList(permissions.net),
+            env: toDenoPermissionList(permissions.env),
+            // Worker module graphs include JSR dependencies (e.g. @std/*). Allow
+            // manifest resolution without widening deck runtime file/run permissions.
+            import: ["jsr.io:443"],
+        },
+    };
+}
+function buildDeckInspectWorkerPermissions(deckPath) {
+    const deckDir = path.dirname(deckPath);
+    const workerDirs = WORKER_ENTRY_PATHS.map((entry) => path.dirname(entry));
+    const inspectSeedPermissions = {
+        baseDir: deckDir,
+        read: { all: false, values: new Set() },
+        write: { all: false, values: new Set() },
+        run: { all: false, paths: new Set(), commands: new Set() },
+        net: { all: false, values: new Set() },
+        env: { all: false, values: new Set() },
+    };
+    const bootstrapReads = constrainBootstrapReads(inspectSeedPermissions, [path.dirname(deckPath), ...workerDirs], new Set(trustedWorkerBootstrapReads()), workerBootstrapReadAllowlist(deckPath));
+    const inspectReads = Array.from(new Set([deckDir, ...bootstrapReads])).sort();
+    return {
+        permissions: {
+            read: inspectReads.length > 0 ? inspectReads : false,
+            write: false,
+            run: false,
+            net: false,
+            env: false,
+        },
+    };
+}
+async function inspectDeckInWorker(deckPath, runDeadlineMs) {
+    if (typeof runDeadlineMs === "number" && Number.isFinite(runDeadlineMs)) {
+        ensureNotExpired(runDeadlineMs);
+    }
+    const bridgeSession = randomId("bridge");
+    const worker = (0, runtime_worker_host_js_1.createWorkerSandboxBridge)(new URL("./runtime_worker.ts", globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url).href, buildDeckInspectWorkerPermissions(deckPath));
+    let settled = false;
+    const clearAndTerminate = () => {
+        try {
+            worker.terminate();
+        }
+        catch {
+            // ignore
+        }
+    };
+    let timeoutId;
+    const outcome = new Promise((resolve, reject) => {
+        const finishResolve = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            resolve(value);
+        };
+        const finishReject = (err) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            reject(err);
+        };
+        const deadlineConstrained = typeof runDeadlineMs === "number" &&
+            Number.isFinite(runDeadlineMs);
+        const timeoutMs = deadlineConstrained
+            ? Math.max(0, Math.min(INSPECT_WORKER_TIMEOUT_MS, Math.floor(runDeadlineMs - performance.now())))
+            : INSPECT_WORKER_TIMEOUT_MS;
+        const timeoutMessage = deadlineConstrained &&
+            timeoutMs < INSPECT_WORKER_TIMEOUT_MS
+            ? WORKER_TIMEOUT_MESSAGE
+            : INSPECT_WORKER_TIMEOUT_MESSAGE;
+        timeoutId = setTimeout(() => {
+            finishReject(new Error(timeoutMessage));
+            clearAndTerminate();
+        }, timeoutMs);
+        worker.addEventListener("error", (event) => {
+            event.preventDefault?.();
+            finishReject(event.error ??
+                new Error(typeof event.message === "string"
+                    ? event.message
+                    : "Worker execution failed"));
+        });
+        worker.addEventListener("messageerror", () => {
+            finishReject(new Error("Worker bridge message serialization failed"));
+        });
+        worker.addEventListener("message", (event) => {
+            const msg = event.data;
+            const receivedSession = typeof msg.bridgeSession === "string"
+                ? msg.bridgeSession
+                : "";
+            if (receivedSession !== bridgeSession) {
+                if (typeof msg.type === "string") {
+                    logger.warn(`[gambit] rejected inspect-worker message with mismatched bridge session (type=${msg.type})`);
+                }
+                return;
+            }
+            const type = typeof msg.type === "string" ? msg.type : "";
+            if (type === "deck.inspect.result") {
+                finishResolve(msg.result);
+                return;
+            }
+            if (type === "deck.inspect.error" || type === "run.error") {
+                finishReject(normalizeWorkerError(msg.error));
+            }
+        });
+    });
+    try {
+        worker.postMessage({ type: "deck.inspect", bridgeSession, deckPath });
+        return await outcome;
+    }
+    finally {
+        if (timeoutId !== undefined)
+            clearTimeout(timeoutId);
+        clearAndTerminate();
+    }
+}
+function normalizeWorkerError(err) {
+    if (!err || typeof err !== "object") {
+        return new Error(String(err));
+    }
+    const rec = err;
+    const message = typeof rec.message === "string" && rec.message.trim().length > 0
+        ? rec.message
+        : "Worker execution failed";
+    const code = typeof rec.code === "string" ? rec.code : undefined;
+    const name = typeof rec.name === "string" ? rec.name : undefined;
+    const source = typeof rec.source === "string" ? rec.source : undefined;
+    const out = new Error(source ? `[${source}] ${message}${code ? ` (${code})` : ""}` : message);
+    if (name)
+        out.name = name;
+    return out;
+}
+async function runLlmDeckInWorker(ctx) {
+    throwIfCanceled(ctx.signal);
+    const bridgeSession = randomId("bridge");
+    const completionNonce = randomId("done");
+    const worker = (0, runtime_worker_host_js_1.createWorkerSandboxBridge)(new URL("./runtime_orchestration_worker.ts", globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url).href, buildWorkerPermissions(ctx.permissions, ctx.deckPath));
+    let settled = false;
+    const clearAndTerminate = () => {
+        try {
+            worker.terminate();
+        }
+        catch {
+            // ignore
+        }
+    };
+    let timeoutId;
+    const outcome = new Promise((resolve, reject) => {
+        const finishResolve = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            resolve(value);
+        };
+        const finishReject = (err) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            reject(err);
+        };
+        const remainingMs = Math.max(0, Math.floor(ctx.runDeadlineMs - performance.now()));
+        timeoutId = setTimeout(() => {
+            finishReject(new Error(WORKER_TIMEOUT_MESSAGE));
+            clearAndTerminate();
+        }, remainingMs);
+        worker.addEventListener("error", (event) => {
+            event.preventDefault?.();
+            finishReject(event.error ??
+                new Error(typeof event.message === "string"
+                    ? event.message
+                    : "Worker execution failed"));
+        });
+        worker.addEventListener("messageerror", () => {
+            finishReject(new Error("Worker bridge message serialization failed"));
+        });
+        worker.addEventListener("message", (event) => {
+            const msg = event.data;
+            if (!msg || typeof msg !== "object")
+                return;
+            if (msg.bridgeSession !== bridgeSession) {
+                logger.warn(`[gambit] rejected orchestration-worker message with mismatched bridge session (type=${msg.type})`);
+                return;
+            }
+            if (msg.type === "trace.event") {
+                ctx.trace?.(msg.event);
+                return;
+            }
+            if (msg.type === "state.update") {
+                ctx.onStateUpdate?.(msg.state);
+                return;
+            }
+            if (msg.type === "stream.text") {
+                ctx.onStreamText?.(msg.chunk);
+                return;
+            }
+            if (msg.type === "model.chat.request") {
+                (async () => {
+                    try {
+                        const result = await ctx.modelProvider.chat({
+                            ...msg.input,
+                            signal: ctx.signal,
+                            onStreamText: (chunk) => {
+                                worker.postMessage({
+                                    type: "model.chat.stream",
+                                    requestId: msg.requestId,
+                                    chunk,
+                                });
+                            },
+                        });
+                        worker.postMessage({
+                            type: "model.chat.result",
+                            requestId: msg.requestId,
+                            result,
+                        });
+                    }
+                    catch (err) {
+                        worker.postMessage({
+                            type: "model.chat.error",
+                            requestId: msg.requestId,
+                            error: {
+                                source: "model",
+                                name: err instanceof Error ? err.name : undefined,
+                                message: err instanceof Error ? err.message : String(err),
+                                code: err?.code,
+                            },
+                        });
+                    }
+                })();
+                return;
+            }
+            if (msg.type === "model.responses.request") {
+                (async () => {
+                    try {
+                        if (!ctx.modelProvider.responses) {
+                            throw new Error("Responses API unavailable for current model provider");
+                        }
+                        const result = await ctx.modelProvider.responses({
+                            ...msg.input,
+                            signal: ctx.signal,
+                            onStreamEvent: (streamEvent) => {
+                                worker.postMessage({
+                                    type: "model.responses.event",
+                                    requestId: msg.requestId,
+                                    event: streamEvent,
+                                });
+                            },
+                        });
+                        worker.postMessage({
+                            type: "model.responses.result",
+                            requestId: msg.requestId,
+                            result,
+                        });
+                    }
+                    catch (err) {
+                        worker.postMessage({
+                            type: "model.responses.error",
+                            requestId: msg.requestId,
+                            error: {
+                                source: "model",
+                                name: err instanceof Error ? err.name : undefined,
+                                message: err instanceof Error ? err.message : String(err),
+                                code: err?.code,
+                            },
+                        });
+                    }
+                })();
+                return;
+            }
+            if (msg.type === "model.resolveModel.request") {
+                (async () => {
+                    try {
+                        const result = ctx.modelProvider.resolveModel
+                            ? await ctx.modelProvider.resolveModel(msg.input)
+                            : {
+                                model: Array.isArray(msg.input.model)
+                                    ? msg.input.model[0]
+                                    : msg.input.model,
+                                params: msg.input.params,
+                            };
+                        worker.postMessage({
+                            type: "model.resolveModel.result",
+                            requestId: msg.requestId,
+                            result,
+                        });
+                    }
+                    catch (err) {
+                        worker.postMessage({
+                            type: "model.resolveModel.error",
+                            requestId: msg.requestId,
+                            error: {
+                                source: "model",
+                                name: err instanceof Error ? err.name : undefined,
+                                message: err instanceof Error ? err.message : String(err),
+                                code: err?.code,
+                            },
+                        });
+                    }
+                })();
+                return;
+            }
+            if (msg.type === "run.result") {
+                if (msg.completionNonce !== completionNonce) {
+                    logger.warn(`[gambit] rejected orchestration-worker run.result with invalid completion nonce`);
+                    return;
+                }
+                finishResolve(msg.result);
+                return;
+            }
+            if (msg.type === "run.error") {
+                if (msg.completionNonce !== completionNonce) {
+                    logger.warn(`[gambit] rejected orchestration-worker run.error with invalid completion nonce`);
+                    return;
+                }
+                finishReject(normalizeWorkerError(msg.error));
+            }
+        });
+    });
+    try {
+        worker.postMessage({
+            type: "run.start",
+            bridgeSession,
+            completionNonce,
+            options: {
+                path: ctx.deckPath,
+                input: ctx.input,
+                inputProvided: ctx.inputProvided,
+                initialUserMessage: ctx.initialUserMessage,
+                isRoot: ctx.isRoot,
+                guardrails: ctx.guardrails,
+                depth: ctx.depth,
+                parentActionCallId: ctx.parentActionCallId,
+                runId: ctx.runId,
+                defaultModel: ctx.defaultModel,
+                modelOverride: ctx.modelOverride,
+                stream: ctx.stream,
+                state: ctx.state,
+                responsesMode: ctx.responsesMode,
+                allowRootStringInput: ctx.allowRootStringInput,
+                runDeadlineMs: ctx.runDeadlineMs,
+            },
+            permissionCeiling: toWirePermissionSet(ctx.permissions),
+        });
+        ensureRunActive(ctx.runDeadlineMs, ctx.signal);
+        return await outcome;
+    }
+    finally {
+        if (timeoutId !== undefined)
+            clearTimeout(timeoutId);
+        clearAndTerminate();
+    }
+}
+async function runComputeDeckInWorker(ctx) {
+    throwIfCanceled(ctx.signal);
+    const { runId } = ctx;
+    const actionCallId = randomId("action");
+    const bridgeSession = randomId("bridge");
+    const completionNonce = randomId("done");
+    const worker = (0, runtime_worker_host_js_1.createWorkerSandboxBridge)(new URL("./runtime_worker.ts", globalThis[Symbol.for("import-meta-ponyfill-commonjs")](require, module).url).href, buildWorkerPermissions(ctx.permissions, ctx.deckPath));
+    let settled = false;
+    const clearAndTerminate = () => {
+        try {
+            worker.terminate();
+        }
+        catch {
+            // ignore
+        }
+    };
+    let timeoutId;
+    const activeSpawnRequests = new Set();
+    let currentState = ctx.state;
+    const outcome = new Promise((resolve, reject) => {
+        const finishResolve = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            resolve(value);
+        };
+        const finishReject = (err) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timeoutId !== undefined)
+                clearTimeout(timeoutId);
+            reject(err);
+        };
+        const remainingMs = Math.max(0, Math.floor(ctx.runDeadlineMs - performance.now()));
+        timeoutId = setTimeout(() => {
+            finishReject(new Error(WORKER_TIMEOUT_MESSAGE));
+            clearAndTerminate();
+        }, remainingMs);
+        worker.addEventListener("error", (event) => {
+            event.preventDefault?.();
+            finishReject(event.error ??
+                new Error(typeof event.message === "string"
+                    ? event.message
+                    : "Worker execution failed"));
+        });
+        worker.addEventListener("messageerror", () => {
+            finishReject(new Error("Worker bridge message serialization failed"));
+        });
+        worker.addEventListener("message", (event) => {
+            const msg = event.data;
+            const receivedBridgeSession = typeof msg.bridgeSession === "string"
+                ? msg.bridgeSession
+                : "";
+            if (receivedBridgeSession !== bridgeSession) {
+                const type = typeof msg.type === "string" ? msg.type : "unknown";
+                logger.warn(`[gambit] rejected compute-worker message with mismatched bridge session (type=${type})`);
+                return;
+            }
+            // Ignore any late worker messages once this run has already settled.
+            if (settled)
+                return;
+            const type = typeof msg.type === "string" ? msg.type : "";
+            if (type === "log.entry") {
+                if (!ctx.trace)
+                    return;
+                const entry = msg.entry;
+                const raw = typeof entry === "string"
+                    ? { message: entry }
+                    : entry && typeof entry === "object"
+                        ? entry
+                        : { message: "" };
+                const message = typeof raw.message === "string"
+                    ? raw.message
+                    : raw.message !== undefined
+                        ? String(raw.message)
+                        : "";
+                const title = typeof raw.title === "string" ? raw.title : undefined;
+                const body = raw.body ?? raw.message ?? message;
+                ctx.trace({
+                    type: "log",
+                    runId,
+                    deckPath: ctx.deckPath,
+                    actionCallId,
+                    parentActionCallId: ctx.parentActionCallId,
+                    level: raw.level ?? "info",
+                    title: title ?? (message || undefined),
+                    message,
+                    body,
+                    meta: raw.meta,
+                });
+                return;
+            }
+            if (type === "spawn.request") {
+                const req = msg;
+                const requestId = req.requestId;
+                if (!requestId)
+                    return;
+                if (activeSpawnRequests.has(requestId)) {
+                    logger.warn(`[gambit] rejected duplicate compute-worker spawn.request (${requestId})`);
+                    return;
+                }
+                activeSpawnRequests.add(requestId);
+                (async () => {
+                    try {
+                        const parentFromWorker = normalizePermissionBaseDir(fromWirePermissionSet(req.payload.parentPermissions), req.payload.parentPermissionsBaseDir);
+                        // Enforce monotonicity against the parent effective ceiling.
+                        const bridgedParent = (0, permissions_js_1.intersectPermissions)(ctx.permissions, parentFromWorker, req.payload.parentPermissionsBaseDir);
+                        const childResult = await runDeck({
+                            path: req.payload.path,
+                            input: req.payload.input,
+                            modelProvider: ctx.modelProvider,
+                            isRoot: false,
+                            guardrails: ctx.guardrails,
+                            depth: ctx.depth + 1,
+                            parentActionCallId: req.payload.parentActionCallId,
+                            runId,
+                            defaultModel: ctx.defaultModel,
+                            modelOverride: ctx.modelOverride,
+                            trace: ctx.trace,
+                            stream: ctx.stream,
+                            state: currentState,
+                            onStateUpdate: (state) => {
+                                currentState = state;
+                                ctx.onStateUpdate?.(state);
+                            },
+                            onStreamText: ctx.onStreamText,
+                            responsesMode: ctx.responsesMode,
+                            initialUserMessage: req.payload.initialUserMessage,
+                            inputProvided: true,
+                            parentPermissions: bridgedParent,
+                            workspacePermissions: req.payload.workspacePermissions,
+                            workspacePermissionsBaseDir: req.payload.workspacePermissionsBaseDir,
+                            sessionPermissions: req.payload.sessionPermissions,
+                            sessionPermissionsBaseDir: req.payload.sessionPermissionsBaseDir,
+                            runDeadlineMs: Math.min(ctx.runDeadlineMs, Number.isFinite(req.payload.runDeadlineMs)
+                                ? req.payload.runDeadlineMs
+                                : ctx.runDeadlineMs),
+                            workerSandbox: true,
+                            signal: ctx.signal,
+                            onTool: ctx.onTool,
+                        });
+                        worker.postMessage({
+                            type: "spawn.result",
+                            requestId,
+                            result: childResult,
+                        });
+                    }
+                    catch (err) {
+                        worker.postMessage({
+                            type: "spawn.error",
+                            requestId,
+                            error: {
+                                source: "child",
+                                name: err instanceof Error ? err.name : undefined,
+                                message: err instanceof Error ? err.message : String(err),
+                                code: err?.code,
+                            },
+                        });
+                    }
+                    finally {
+                        activeSpawnRequests.delete(requestId);
+                    }
+                })();
+                return;
+            }
+            if (type === "state.update") {
+                const nextState = msg.state;
+                if (!nextState || typeof nextState !== "object")
+                    return;
+                currentState = nextState;
+                ctx.onStateUpdate?.(nextState);
+                return;
+            }
+            if (type === "run.result") {
+                if (msg.completionNonce !==
+                    completionNonce) {
+                    logger.warn(`[gambit] rejected compute-worker run.result with invalid completion nonce`);
+                    return;
+                }
+                finishResolve(msg.result);
+                return;
+            }
+            if (type === "run.error") {
+                if (msg.completionNonce !==
+                    completionNonce) {
+                    logger.warn(`[gambit] rejected compute-worker run.error with invalid completion nonce`);
+                    return;
+                }
+                finishReject(normalizeWorkerError(msg.error));
+            }
+        });
+    });
+    try {
+        worker.postMessage({
+            type: "run.start",
+            bridgeSession,
+            completionNonce,
+            runId,
+            actionCallId,
+            deckPath: ctx.deckPath,
+            input: ctx.input,
+            state: ctx.state,
+            initialUserMessage: ctx.initialUserMessage,
+            depth: ctx.depth,
+            parentActionCallId: ctx.parentActionCallId,
+            permissions: toWirePermissionSet(ctx.permissions),
+            workspacePermissions: ctx.workspacePermissions,
+            workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+            sessionPermissions: ctx.sessionPermissions,
+            sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+            runDeadlineMs: ctx.runDeadlineMs,
+            isRoot: ctx.isRoot,
+            allowRootStringInput: ctx.allowRootStringInput,
+        });
+        const raw = await outcome;
+        ensureRunActive(ctx.runDeadlineMs, ctx.signal);
+        return raw;
     }
-    if (isRoot) {
-        if (typeof output === "string")
-            return output;
-        return JSON.stringify(output);
+    finally {
+        if (timeoutId !== undefined)
+            clearTimeout(timeoutId);
+        clearAndTerminate();
     }
-    throw new Error(`Deck ${deck.path} requires outputSchema (non-root)`);
 }
-async function runComputeDeck(ctx) {
+async function runComputeDeckInProcess(ctx) {
     const { deck, runId } = ctx;
     const actionCallId = randomId("action");
+    let computeState = ctx.state
+        ? {
+            ...ctx.state,
+            messages: Array.isArray(ctx.state.messages)
+                ? ctx.state.messages.map(sanitizeMessage)
+                : [],
+            meta: ctx.state.meta ? { ...ctx.state.meta } : undefined,
+            messageRefs: Array.isArray(ctx.state.messageRefs)
+                ? [...ctx.state.messageRefs]
+                : undefined,
+        }
+        : undefined;
+    const ensureComputeState = () => {
+        if (computeState)
+            return computeState;
+        computeState = {
+            runId,
+            messages: [],
+            meta: {},
+            messageRefs: [],
+        };
+        return computeState;
+    };
+    const publishComputeState = () => {
+        if (!computeState)
+            return;
+        ctx.onStateUpdate?.({
+            ...computeState,
+            messages: computeState.messages.map(sanitizeMessage),
+            meta: computeState.meta ? { ...computeState.meta } : undefined,
+            messageRefs: Array.isArray(computeState.messageRefs)
+                ? [...computeState.messageRefs]
+                : undefined,
+        });
+    };
     const execContext = {
         runId,
         actionCallId,
         parentActionCallId: ctx.parentActionCallId,
         depth: ctx.depth,
         input: ctx.input,
+        initialUserMessage: ctx.initialUserMessage,
+        getSessionMeta: (key) => {
+            if (!key)
+                return undefined;
+            return computeState?.meta?.[key];
+        },
+        setSessionMeta: (key, value) => {
+            if (!key)
+                return;
+            const state = ensureComputeState();
+            const nextMeta = { ...(state.meta ?? {}) };
+            if (value === undefined) {
+                delete nextMeta[key];
+            }
+            else {
+                nextMeta[key] = value;
+            }
+            state.meta = nextMeta;
+            publishComputeState();
+        },
+        appendMessage: (message) => {
+            const role = message.role;
+            const content = String(message.content ?? "");
+            if ((role !== "user" && role !== "assistant") || !content.trim()) {
+                return;
+            }
+            const state = ensureComputeState();
+            const sanitized = sanitizeMessage({ role, content: content.trim() });
+            state.messages = [...(state.messages ?? []), sanitized];
+            const refs = Array.isArray(state.messageRefs)
+                ? [...state.messageRefs]
+                : [];
+            refs.push({ id: randomId("msg"), role: sanitized.role });
+            state.messageRefs = refs;
+            publishComputeState();
+        },
         label: deck.label,
         log: (entry) => {
             if (!ctx.trace)
@@ -278,9 +2283,13 @@ async function runComputeDeck(ctx) {
             });
         },
         spawnAndWait: async (opts) => {
+            ensureRunActive(ctx.runDeadlineMs, ctx.signal);
             const childPath = path.isAbsolute(opts.path)
                 ? opts.path
                 : path.resolve(path.dirname(deck.path), opts.path);
+            const childInitialUserMessage = Object.hasOwn(opts, "initialUserMessage")
+                ? opts.initialUserMessage
+                : ctx.initialUserMessage;
             return await runDeck({
                 path: childPath,
                 input: opts.input,
@@ -294,11 +2303,33 @@ async function runComputeDeck(ctx) {
                 modelOverride: ctx.modelOverride,
                 trace: ctx.trace,
                 stream: ctx.stream,
-                state: ctx.state,
-                onStateUpdate: ctx.onStateUpdate,
+                state: computeState,
+                onStateUpdate: (state) => {
+                    computeState = {
+                        ...state,
+                        messages: Array.isArray(state.messages)
+                            ? state.messages.map(sanitizeMessage)
+                            : [],
+                        meta: state.meta ? { ...state.meta } : undefined,
+                        messageRefs: Array.isArray(state.messageRefs)
+                            ? [...state.messageRefs]
+                            : undefined,
+                    };
+                    ctx.onStateUpdate?.(state);
+                },
                 onStreamText: ctx.onStreamText,
-                initialUserMessage: undefined,
+                responsesMode: ctx.responsesMode,
+                initialUserMessage: childInitialUserMessage,
                 inputProvided: true,
+                parentPermissions: ctx.permissions,
+                workspacePermissions: ctx.workspacePermissions,
+                workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+                sessionPermissions: ctx.sessionPermissions,
+                sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+                runDeadlineMs: ctx.runDeadlineMs,
+                workerSandbox: ctx.workerSandbox,
+                signal: ctx.signal,
+                onTool: ctx.onTool,
             });
         },
         fail: (opts) => {
@@ -306,7 +2337,9 @@ async function runComputeDeck(ctx) {
         },
         return: (payload) => Promise.resolve(payload),
     };
+    ensureRunActive(ctx.runDeadlineMs, ctx.signal);
     const raw = await deck.executor(execContext);
+    ensureRunActive(ctx.runDeadlineMs, ctx.signal);
     return validateOutput(deck, raw, ctx.depth === 0);
 }
 async function runLlmDeck(ctx) {
@@ -314,13 +2347,17 @@ async function runLlmDeck(ctx) {
     const actionCallId = randomId("action");
     const start = performance.now();
     const respondEnabled = Boolean(deck.respond);
+    const useResponses = Boolean(ctx.responsesMode) ||
+        ctx.state?.format === "responses";
     const systemPrompt = buildSystemPrompt(deck);
     const refToolCallId = randomId("call");
-    const messages = ctx.state?.messages
+    const messages = ctx.state?.messages?.length
         ? ctx.state.messages.map(sanitizeMessage)
-        : [];
+        : ctx.state?.items?.length
+            ? messagesFromResponseItems(ctx.state.items).map(sanitizeMessage)
+            : [];
     const resumed = messages.length > 0;
-    const sendInit = Boolean(inputProvided) && input !== undefined && !resumed;
+    const sendContext = Boolean(inputProvided) && input !== undefined && !resumed;
     const idleController = createIdleController({
         cfg: deck.handlers?.onIdle,
         deck,
@@ -335,11 +2372,21 @@ async function runLlmDeck(ctx) {
         stream: ctx.stream,
         onStreamText: ctx.onStreamText,
         pushMessages: (msgs) => messages.push(...msgs.map(sanitizeMessage)),
+        responsesMode: ctx.responsesMode,
+        permissions: ctx.permissions,
+        workspacePermissions: ctx.workspacePermissions,
+        workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+        sessionPermissions: ctx.sessionPermissions,
+        sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+        runDeadlineMs: ctx.runDeadlineMs,
+        workerSandbox: ctx.workerSandbox,
+        signal: ctx.signal,
+        onTool: ctx.onTool,
     });
     let streamingBuffer = "";
     let streamingCommitted = false;
     const wrappedOnStreamText = (chunk) => {
-        if (!chunk)
+        if (!chunk || ctx.signal?.aborted)
             return;
         idleController.touch();
         streamingBuffer += chunk;
@@ -347,13 +2394,14 @@ async function runLlmDeck(ctx) {
     };
     if (!resumed) {
         messages.push(sanitizeMessage({ role: "system", content: systemPrompt }));
-        if (sendInit) {
+        if (sendContext) {
             ctx.trace?.({
                 type: "tool.call",
                 runId,
                 actionCallId: refToolCallId,
-                name: constants_js_1.GAMBIT_TOOL_INIT,
+                name: constants_js_1.GAMBIT_TOOL_CONTEXT,
                 args: {},
+                toolKind: "internal",
                 parentActionCallId: actionCallId,
             });
             messages.push(sanitizeMessage({
@@ -363,13 +2411,13 @@ async function runLlmDeck(ctx) {
                         id: refToolCallId,
                         type: "function",
                         function: {
-                            name: constants_js_1.GAMBIT_TOOL_INIT,
+                            name: constants_js_1.GAMBIT_TOOL_CONTEXT,
                             arguments: "{}",
                         },
                     }],
             }), sanitizeMessage({
                 role: "tool",
-                name: constants_js_1.GAMBIT_TOOL_INIT,
+                name: constants_js_1.GAMBIT_TOOL_CONTEXT,
                 tool_call_id: refToolCallId,
                 content: JSON.stringify(input),
             }));
@@ -377,8 +2425,9 @@ async function runLlmDeck(ctx) {
                 type: "tool.result",
                 runId,
                 actionCallId: refToolCallId,
-                name: constants_js_1.GAMBIT_TOOL_INIT,
+                name: constants_js_1.GAMBIT_TOOL_CONTEXT,
                 result: input,
+                toolKind: "internal",
                 parentActionCallId: actionCallId,
             });
         }
@@ -399,29 +2448,36 @@ async function runLlmDeck(ctx) {
         });
     }
     idleController.touch();
-    const tools = await buildToolDefs(deck);
+    const tools = await buildToolDefs(deck, ctx.permissions);
     ctx.trace?.({
         type: "deck.start",
         runId,
         deckPath: deck.path,
         actionCallId,
         parentActionCallId: ctx.parentActionCallId,
+        permissions: ctx.permissionsTrace,
     });
     let passes = 0;
     try {
         while (passes < guardrails.maxPasses) {
             passes++;
-            if (performance.now() - start > guardrails.timeoutMs) {
-                throw new Error("Timeout exceeded");
-            }
+            ensureRunActive(ctx.runDeadlineMs, ctx.signal);
             streamingBuffer = "";
             streamingCommitted = false;
-            const model = ctx.modelOverride ??
+            const modelCandidate = ctx.modelOverride ??
                 deck.modelParams?.model ??
                 ctx.defaultModel ??
                 (() => {
                     throw new Error(`No model configured for deck ${deck.path} and no --model provided`);
                 })();
+            const resolved = await resolveModelChoice({
+                model: modelCandidate,
+                params: toProviderParams(deck.modelParams),
+                modelProvider,
+                deckPath: deck.path,
+            });
+            const model = resolved.model;
+            const providerParams = resolved.params;
             const stateMessages = ctx.state?.messages?.length;
             ctx.trace?.({
                 type: "model.call",
@@ -435,21 +2491,134 @@ async function runLlmDeck(ctx) {
                 messages: messages.map(sanitizeMessage),
                 tools,
                 stateMessages,
-                parentActionCallId: ctx.parentActionCallId,
-            });
-            const result = await modelProvider.chat({
-                model,
-                messages,
-                tools,
-                stream: ctx.stream,
-                state: ctx.state,
-                params: toProviderParams(deck.modelParams),
-                onStreamText: (ctx.onStreamText || deck.handlers?.onIdle)
-                    ? wrappedOnStreamText
+                mode: useResponses ? "responses" : "chat",
+                responseItems: useResponses
+                    ? responseItemsFromMessages(messages)
                     : undefined,
+                parentActionCallId: ctx.parentActionCallId,
             });
+            let responseOutputItems;
+            const responses = modelProvider.responses;
+            const projectedToolCalls = new Set();
+            const projectedToolResults = new Set();
+            const projectedToolNames = new Map();
+            const result = (useResponses && responses)
+                ? await (async () => {
+                    const responseItems = responseItemsFromMessages(messages);
+                    let sawDelta = false;
+                    const response = await responses({
+                        request: {
+                            model,
+                            input: responseItems,
+                            tools: tools,
+                            stream: ctx.stream,
+                            params: providerParams,
+                        },
+                        state: ctx.state,
+                        deckPath: deck.path,
+                        signal: ctx.signal,
+                        onStreamEvent: (ctx.trace || ctx.onStreamText || deck.handlers?.onIdle)
+                            ? (event) => {
+                                if (ctx.trace) {
+                                    const streamEvent = event;
+                                    const handledAsResponse = traceOpenResponsesStreamEvent({
+                                        streamEvent,
+                                        runId,
+                                        actionCallId,
+                                        deckPath: deck.path,
+                                        model,
+                                        parentActionCallId: ctx.parentActionCallId,
+                                        trace: ctx.trace,
+                                    });
+                                    if (!handledAsResponse) {
+                                        ctx.trace({
+                                            type: "model.stream.event",
+                                            runId,
+                                            actionCallId,
+                                            deckPath: deck.path,
+                                            model,
+                                            event: streamEvent,
+                                            parentActionCallId: ctx.parentActionCallId,
+                                        });
+                                    }
+                                    projectStreamToolTraceEvents({
+                                        streamEvent,
+                                        runId,
+                                        parentActionCallId: actionCallId,
+                                        trace: ctx.trace,
+                                        emittedCalls: projectedToolCalls,
+                                        emittedResults: projectedToolResults,
+                                        toolNames: projectedToolNames,
+                                    });
+                                }
+                                if (event.type === "response.output_text.delta") {
+                                    sawDelta = true;
+                                    wrappedOnStreamText(event.delta);
+                                }
+                                else if (event.type === "response.output_text.done" && !sawDelta) {
+                                    wrappedOnStreamText(event.text);
+                                }
+                            }
+                            : undefined,
+                    });
+                    responseOutputItems = response.output ?? [];
+                    const mapped = mapResponseOutput(responseOutputItems);
+                    return {
+                        message: mapped.message,
+                        finishReason: mapped.toolCalls?.length ? "tool_calls" : "stop",
+                        toolCalls: mapped.toolCalls,
+                        usage: response.usage,
+                        updatedState: response.updatedState,
+                    };
+                })()
+                : await modelProvider.chat({
+                    model,
+                    messages,
+                    tools,
+                    stream: ctx.stream,
+                    state: ctx.state,
+                    deckPath: deck.path,
+                    signal: ctx.signal,
+                    params: providerParams,
+                    onStreamText: (ctx.onStreamText || deck.handlers?.onIdle)
+                        ? wrappedOnStreamText
+                        : undefined,
+                    onStreamEvent: ctx.trace
+                        ? (event) => {
+                            const handledAsResponse = traceOpenResponsesStreamEvent({
+                                streamEvent: event,
+                                runId,
+                                actionCallId,
+                                deckPath: deck.path,
+                                model,
+                                parentActionCallId: ctx.parentActionCallId,
+                                trace: ctx.trace,
+                            });
+                            if (!handledAsResponse) {
+                                ctx.trace?.({
+                                    type: "model.stream.event",
+                                    runId,
+                                    actionCallId,
+                                    deckPath: deck.path,
+                                    model,
+                                    event,
+                                    parentActionCallId: ctx.parentActionCallId,
+                                });
+                            }
+                            projectStreamToolTraceEvents({
+                                streamEvent: event,
+                                runId,
+                                parentActionCallId: actionCallId,
+                                trace: ctx.trace,
+                                emittedCalls: projectedToolCalls,
+                                emittedResults: projectedToolResults,
+                                toolNames: projectedToolNames,
+                            });
+                        }
+                        : undefined,
+                });
             idleController.touch();
-            const message = result.message;
+            let message = result.message;
             ctx.trace?.({
                 type: "model.result",
                 runId,
@@ -460,6 +2629,9 @@ async function runLlmDeck(ctx) {
                 message: sanitizeMessage(message),
                 toolCalls: result.toolCalls,
                 stateMessages: result.updatedState?.messages?.length,
+                usage: result.usage,
+                mode: useResponses ? "responses" : "chat",
+                responseItems: responseOutputItems,
                 parentActionCallId: ctx.parentActionCallId,
             });
             const computeState = (updated) => {
@@ -468,17 +2640,31 @@ async function runLlmDeck(ctx) {
                 const mergedMessages = base.messages && base.messages.length > 0
                     ? base.messages.map(sanitizeMessage)
                     : messages.map(sanitizeMessage);
+                const responseItems = useResponses
+                    ? responseItemsFromMessages(mergedMessages)
+                    : updated?.items ?? ctx.state?.items;
                 const priorRefs = updated?.messageRefs ?? ctx.state?.messageRefs ?? [];
                 const messageRefs = mergedMessages.map((m, idx) => priorRefs[idx] ?? { id: randomId("msg"), role: m.role });
                 const feedback = updated?.feedback ?? ctx.state?.feedback;
                 const traces = updated?.traces ?? ctx.state?.traces;
+                const meta = updated?.meta ?? ctx.state?.meta;
+                const notes = updated?.notes ?? ctx.state?.notes;
+                const conversationScore = updated?.conversationScore ??
+                    ctx.state?.conversationScore;
                 return {
                     ...base,
                     runId,
                     messages: mergedMessages,
+                    format: useResponses
+                        ? "responses"
+                        : updated?.format ?? ctx.state?.format,
+                    items: responseItems,
                     messageRefs,
                     feedback,
                     traces,
+                    meta,
+                    notes,
+                    conversationScore,
                 };
             };
             if (result.toolCalls && result.toolCalls.length > 0) {
@@ -486,8 +2672,10 @@ async function runLlmDeck(ctx) {
                 let respondValue;
                 let endSignal;
                 const appendedMessages = [];
-                if (!streamingCommitted && streamingBuffer) {
-                    messages.push(sanitizeMessage({ role: "assistant", content: streamingBuffer }));
+                const toolCallText = streamingBuffer ||
+                    (typeof message.content === "string" ? message.content : "");
+                if (!streamingCommitted && toolCallText) {
+                    messages.push(sanitizeMessage({ role: "assistant", content: toolCallText }));
                     streamingCommitted = true;
                 }
                 for (const call of result.toolCalls) {
@@ -525,6 +2713,7 @@ async function runLlmDeck(ctx) {
                             actionCallId: call.id,
                             name: call.name,
                             args: call.args,
+                            toolKind: "internal",
                             parentActionCallId: actionCallId,
                         });
                         const toolContent = JSON.stringify(call.args ?? {});
@@ -554,6 +2743,7 @@ async function runLlmDeck(ctx) {
                             actionCallId: call.id,
                             name: call.name,
                             result: respondEnvelope,
+                            toolKind: "internal",
                             parentActionCallId: actionCallId,
                         });
                         continue;
@@ -580,6 +2770,7 @@ async function runLlmDeck(ctx) {
                             actionCallId: call.id,
                             name: call.name,
                             args: call.args,
+                            toolKind: "internal",
                             parentActionCallId: actionCallId,
                         });
                         const toolContent = JSON.stringify(call.args ?? {});
@@ -619,10 +2810,23 @@ async function runLlmDeck(ctx) {
                             actionCallId: call.id,
                             name: call.name,
                             result: signal,
+                            toolKind: "internal",
                             parentActionCallId: actionCallId,
                         });
                         continue;
                     }
+                    const actionRef = deck.actionDecks.find((a) => a.name === call.name);
+                    const toolKind = actionRef ? "action" : "external";
+                    const actionPermissions = (0, permissions_js_1.resolveEffectivePermissions)({
+                        baseDir: path.dirname(deck.path),
+                        parent: ctx.permissions,
+                        reference: actionRef?.permissions
+                            ? {
+                                baseDir: path.dirname(deck.path),
+                                permissions: actionRef.permissions,
+                            }
+                            : undefined,
+                    });
                     ctx.trace?.({
                         type: "action.start",
                         runId,
@@ -630,6 +2834,7 @@ async function runLlmDeck(ctx) {
                         name: call.name,
                         path: call.name,
                         parentActionCallId: actionCallId,
+                        permissions: actionPermissions.trace,
                     });
                     ctx.trace?.({
                         type: "tool.call",
@@ -637,6 +2842,7 @@ async function runLlmDeck(ctx) {
                         actionCallId: call.id,
                         name: call.name,
                         args: call.args,
+                        toolKind,
                         parentActionCallId: actionCallId,
                     });
                     const toolResult = await handleToolCall(call, {
@@ -655,6 +2861,16 @@ async function runLlmDeck(ctx) {
                         runStartedAt: start,
                         inputProvided: true,
                         idle: idleController,
+                        responsesMode: ctx.responsesMode,
+                        permissions: ctx.permissions,
+                        workspacePermissions: ctx.workspacePermissions,
+                        workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+                        sessionPermissions: ctx.sessionPermissions,
+                        sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+                        runDeadlineMs: ctx.runDeadlineMs,
+                        workerSandbox: ctx.workerSandbox,
+                        signal: ctx.signal,
+                        onTool: ctx.onTool,
                     });
                     ctx.trace?.({
                         type: "tool.result",
@@ -662,6 +2878,7 @@ async function runLlmDeck(ctx) {
                         actionCallId: call.id,
                         name: call.name,
                         result: toolResult.toolContent,
+                        toolKind,
                         parentActionCallId: actionCallId,
                     });
                     appendedMessages.push({
@@ -699,6 +2916,7 @@ async function runLlmDeck(ctx) {
                     idleController.touch();
                 }
                 if (ctx.onStateUpdate) {
+                    ensureRunActive(ctx.runDeadlineMs, ctx.signal);
                     const state = computeState(result.updatedState);
                     ctx.onStateUpdate(state);
                 }
@@ -724,6 +2942,12 @@ async function runLlmDeck(ctx) {
                 }
                 continue;
             }
+            if (!respondEnabled &&
+                result.finishReason === "stop" &&
+                (message.content === null || message.content === undefined) &&
+                (!result.toolCalls || result.toolCalls.length === 0)) {
+                message = { ...message, content: "" };
+            }
             if (result.finishReason === "tool_calls") {
                 throw new Error("Model requested tool_calls but provided none");
             }
@@ -733,6 +2957,7 @@ async function runLlmDeck(ctx) {
             }
             if (message.content !== null && message.content !== undefined) {
                 messages.push(sanitizeMessage(message));
+                ensureRunActive(ctx.runDeadlineMs, ctx.signal);
                 if (ctx.onStateUpdate) {
                     const state = computeState(result.updatedState);
                     ctx.onStateUpdate(state);
@@ -775,23 +3000,11 @@ async function runLlmDeck(ctx) {
     throw new Error("Model did not complete within guardrails");
 }
 async function handleToolCall(call, ctx) {
-    const action = ctx.parentDeck.actionDecks.find((a) => a.name === call.name);
+    ensureRunActive(ctx.runDeadlineMs, ctx.signal);
     const source = {
         deckPath: ctx.parentDeck.path,
-        actionName: action?.name ?? call.name,
+        actionName: call.name,
     };
-    if (!action) {
-        return {
-            toolContent: JSON.stringify({
-                runId: ctx.runId,
-                actionCallId: call.id,
-                parentActionCallId: ctx.parentActionCallId,
-                source,
-                status: 404,
-                message: "unknown action",
-            }),
-        };
-    }
     const baseComplete = (payload) => JSON.stringify({
         runId: ctx.runId,
         actionCallId: call.id,
@@ -805,6 +3018,480 @@ async function handleToolCall(call, ctx) {
     });
     const extraMessages = [];
     const started = performance.now();
+    const runBuiltinTool = async () => {
+        if (!isBuiltinTool(call.name))
+            return null;
+        const deny = (message) => ({
+            toolContent: baseComplete({
+                status: 403,
+                code: "permission_denied",
+                message,
+            }),
+        });
+        if (call.name === BUILTIN_TOOL_READ_FILE) {
+            let targetPath;
+            try {
+                targetPath = resolveToolPath(ctx.permissions.baseDir, call.args.path);
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            if (!(0, permissions_js_1.canReadPath)(ctx.permissions, targetPath)) {
+                return deny(`read_file denied for ${targetPath}`);
+            }
+            const text = await dntShim.Deno.readTextFile(targetPath);
+            const lines = text.split(/\r?\n/);
+            const { startLine, endLine } = parseLineRange(call.args);
+            const sliced = lines.slice(startLine - 1, endLine).join("\n");
+            return {
+                toolContent: baseComplete({
+                    status: 200,
+                    payload: {
+                        path: targetPath,
+                        start_line: startLine,
+                        end_line: endLine,
+                        total_lines: lines.length,
+                        content: sliced,
+                    },
+                }),
+            };
+        }
+        if (call.name === BUILTIN_TOOL_LIST_DIR) {
+            let targetPath;
+            try {
+                targetPath = resolveToolPath(ctx.permissions.baseDir, call.args.path);
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            if (!(0, permissions_js_1.canReadPath)(ctx.permissions, targetPath)) {
+                return deny(`list_dir denied for ${targetPath}`);
+            }
+            const recursive = Boolean(call.args.recursive);
+            const maxEntries = parseToolLimit(call.args.max_entries, 200, 2000);
+            const out = [];
+            const pending = [targetPath];
+            while (pending.length > 0 && out.length < maxEntries) {
+                const current = pending.pop();
+                for await (const entry of dntShim.Deno.readDir(current)) {
+                    if (out.length >= maxEntries)
+                        break;
+                    const entryPath = path.join(current, entry.name);
+                    if (!(0, permissions_js_1.canReadPath)(ctx.permissions, entryPath))
+                        continue;
+                    const type = entry.isDirectory
+                        ? "dir"
+                        : entry.isSymlink
+                            ? "symlink"
+                            : "file";
+                    out.push({ path: entryPath, type });
+                    if (recursive && entry.isDirectory) {
+                        pending.push(entryPath);
+                    }
+                }
+            }
+            return {
+                toolContent: baseComplete({
+                    status: 200,
+                    payload: {
+                        path: targetPath,
+                        recursive,
+                        entries: out,
+                        truncated: out.length >= maxEntries,
+                    },
+                }),
+            };
+        }
+        if (call.name === BUILTIN_TOOL_GREP_FILES) {
+            let targetPath;
+            try {
+                targetPath = resolveToolPath(ctx.permissions.baseDir, call.args.path);
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            if (!(0, permissions_js_1.canReadPath)(ctx.permissions, targetPath)) {
+                return deny(`grep_files denied for ${targetPath}`);
+            }
+            const query = typeof call.args.query === "string" ? call.args.query : "";
+            if (!query) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: "query is required",
+                    }),
+                };
+            }
+            let re;
+            try {
+                re = new RegExp(query, "g");
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_regex",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            const maxMatches = parseToolLimit(call.args.max_matches, 200, 2000);
+            const matches = [];
+            const pending = [targetPath];
+            while (pending.length > 0 && matches.length < maxMatches) {
+                const current = pending.pop();
+                const stat = await dntShim.Deno.stat(current);
+                if (stat.isDirectory) {
+                    for await (const entry of dntShim.Deno.readDir(current)) {
+                        const entryPath = path.join(current, entry.name);
+                        if (!(0, permissions_js_1.canReadPath)(ctx.permissions, entryPath))
+                            continue;
+                        if (entry.isDirectory) {
+                            pending.push(entryPath);
+                            continue;
+                        }
+                        if (!entry.isFile)
+                            continue;
+                        const text = await dntShim.Deno.readTextFile(entryPath).catch(() => null);
+                        if (text === null)
+                            continue;
+                        const lines = text.split(/\r?\n/);
+                        for (let i = 0; i < lines.length; i++) {
+                            re.lastIndex = 0;
+                            if (!re.test(lines[i]))
+                                continue;
+                            matches.push({ path: entryPath, line: i + 1, text: lines[i] });
+                            if (matches.length >= maxMatches)
+                                break;
+                        }
+                        if (matches.length >= maxMatches)
+                            break;
+                    }
+                    continue;
+                }
+                if (!stat.isFile)
+                    continue;
+                const text = await dntShim.Deno.readTextFile(current).catch(() => null);
+                if (text === null)
+                    continue;
+                const lines = text.split(/\r?\n/);
+                for (let i = 0; i < lines.length; i++) {
+                    re.lastIndex = 0;
+                    if (!re.test(lines[i]))
+                        continue;
+                    matches.push({ path: current, line: i + 1, text: lines[i] });
+                    if (matches.length >= maxMatches)
+                        break;
+                }
+            }
+            return {
+                toolContent: baseComplete({
+                    status: 200,
+                    payload: {
+                        path: targetPath,
+                        query,
+                        matches,
+                        truncated: matches.length >= maxMatches,
+                    },
+                }),
+            };
+        }
+        if (call.name === BUILTIN_TOOL_APPLY_PATCH) {
+            let targetPath;
+            try {
+                targetPath = resolveToolPath(ctx.permissions.baseDir, call.args.path);
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            if (!(0, permissions_js_1.canWritePath)(ctx.permissions, targetPath)) {
+                return deny(`apply_patch denied for ${targetPath}`);
+            }
+            const rawEdits = Array.isArray(call.args.edits) ? call.args.edits : [];
+            const edits = rawEdits.flatMap((entry) => {
+                if (!entry || typeof entry !== "object")
+                    return [];
+                const rec = entry;
+                if (typeof rec.old_text !== "string" || typeof rec.new_text !== "string") {
+                    return [];
+                }
+                return [{
+                        oldText: rec.old_text,
+                        newText: rec.new_text,
+                        replaceAll: Boolean(rec.replace_all),
+                    }];
+            });
+            if (edits.length === 0) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: "edits must include at least one old_text/new_text pair",
+                    }),
+                };
+            }
+            const createIfMissing = Boolean(call.args.create_if_missing);
+            let existing = "";
+            let created = false;
+            try {
+                if (!(0, permissions_js_1.canReadPath)(ctx.permissions, targetPath)) {
+                    return deny(`apply_patch read denied for ${targetPath}`);
+                }
+                existing = await dntShim.Deno.readTextFile(targetPath);
+            }
+            catch (err) {
+                if (err instanceof dntShim.Deno.errors.NotFound) {
+                    if (!createIfMissing) {
+                        return {
+                            toolContent: baseComplete({
+                                status: 404,
+                                code: "not_found",
+                                message: `file not found: ${targetPath}`,
+                            }),
+                        };
+                    }
+                    created = true;
+                    existing = "";
+                }
+                else {
+                    throw err;
+                }
+            }
+            const patched = applySimplePatch(existing, edits);
+            if (!created && patched.applied === 0) {
+                return {
+                    toolContent: baseComplete({
+                        status: 409,
+                        code: "no_changes",
+                        message: `No edit targets were found in ${targetPath}`,
+                    }),
+                };
+            }
+            if (created) {
+                const parentDir = path.dirname(targetPath);
+                if (parentDir && parentDir !== "." && parentDir !== targetPath) {
+                    await dntShim.Deno.mkdir(parentDir, { recursive: true });
+                }
+            }
+            try {
+                await dntShim.Deno.writeTextFile(targetPath, patched.next);
+            }
+            catch (err) {
+                if (err instanceof dntShim.Deno.errors.NotFound) {
+                    return {
+                        toolContent: baseComplete({
+                            status: 404,
+                            code: "not_found",
+                            message: `path not found: ${targetPath}`,
+                        }),
+                    };
+                }
+                return {
+                    toolContent: baseComplete({
+                        status: 500,
+                        code: "write_failed",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            return {
+                toolContent: baseComplete({
+                    status: 200,
+                    payload: {
+                        path: targetPath,
+                        applied: patched.applied,
+                        created,
+                    },
+                }),
+            };
+        }
+        if (call.name === BUILTIN_TOOL_EXEC) {
+            const command = typeof call.args.command === "string"
+                ? call.args.command
+                : "";
+            if (!command) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: "command is required",
+                    }),
+                };
+            }
+            if (!(0, permissions_js_1.canRunCommand)(ctx.permissions, command) &&
+                !(0, permissions_js_1.canRunPath)(ctx.permissions, command)) {
+                return deny(`exec denied for command ${command}`);
+            }
+            const args = toStringArray(call.args.args);
+            const cwd = typeof call.args.cwd === "string"
+                ? path.resolve(ctx.permissions.baseDir, call.args.cwd)
+                : ctx.permissions.baseDir;
+            const timeoutMs = parseToolLimit(call.args.timeout_ms, 5000, 30000);
+            const remainingMs = Math.max(1, Math.min(timeoutMs, Math.floor(ctx.runDeadlineMs - performance.now())));
+            const controller = new AbortController();
+            const onAbort = () => controller.abort();
+            if (ctx.signal?.aborted) {
+                controller.abort();
+            }
+            else if (ctx.signal) {
+                ctx.signal.addEventListener("abort", onAbort, { once: true });
+            }
+            const timeoutId = setTimeout(() => controller.abort(), remainingMs);
+            try {
+                const output = await (0, runtime_exec_host_js_1.executeBuiltinCommand)({
+                    command,
+                    args,
+                    cwd,
+                    signal: controller.signal,
+                });
+                const stdout = new TextDecoder().decode(output.stdout).slice(0, 65536);
+                const stderr = new TextDecoder().decode(output.stderr).slice(0, 65536);
+                return {
+                    toolContent: baseComplete({
+                        status: 200,
+                        payload: {
+                            command,
+                            args,
+                            cwd,
+                            code: output.code,
+                            success: output.success,
+                            stdout,
+                            stderr,
+                        },
+                    }),
+                };
+            }
+            catch (err) {
+                if (err instanceof runtime_exec_host_js_1.ExecToolUnsupportedHostError) {
+                    return {
+                        toolContent: baseComplete({
+                            status: 501,
+                            code: err.code,
+                            message: err.message,
+                        }),
+                    };
+                }
+                return {
+                    toolContent: baseComplete({
+                        status: 500,
+                        code: "exec_failed",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+            finally {
+                clearTimeout(timeoutId);
+                if (ctx.signal) {
+                    ctx.signal.removeEventListener("abort", onAbort);
+                }
+            }
+        }
+        return null;
+    };
+    const builtinResult = await runBuiltinTool();
+    if (builtinResult) {
+        return builtinResult;
+    }
+    const action = ctx.parentDeck.actionDecks.find((a) => a.name === call.name);
+    if (!action) {
+        const externalTool = ctx.parentDeck.tools.find((tool) => tool.name === call.name);
+        if (!externalTool) {
+            return {
+                toolContent: JSON.stringify({
+                    runId: ctx.runId,
+                    actionCallId: call.id,
+                    parentActionCallId: ctx.parentActionCallId,
+                    source,
+                    status: 404,
+                    message: "unknown action",
+                }),
+            };
+        }
+        let externalInput = call.args;
+        if (externalTool.inputSchema) {
+            try {
+                externalInput = (0, schema_js_1.validateWithSchema)(externalTool.inputSchema, call.args);
+            }
+            catch (err) {
+                return {
+                    toolContent: baseComplete({
+                        status: 400,
+                        code: "invalid_input",
+                        message: err instanceof Error ? err.message : String(err),
+                    }),
+                };
+            }
+        }
+        if (!ctx.onTool) {
+            return {
+                toolContent: baseComplete({
+                    status: 500,
+                    code: "missing_on_tool",
+                    message: `External tool ${call.name} requires runtime onTool handler`,
+                }),
+            };
+        }
+        try {
+            const result = await ctx.onTool({
+                name: call.name,
+                args: externalInput,
+                runId: ctx.runId,
+                actionCallId: call.id,
+                parentActionCallId: ctx.parentActionCallId,
+                deckPath: ctx.parentDeck.path,
+            });
+            return { toolContent: baseComplete(normalizeChildResult(result)) };
+        }
+        catch (err) {
+            return {
+                toolContent: baseComplete({
+                    status: 500,
+                    code: "tool_handler_error",
+                    message: err instanceof Error ? err.message : String(err),
+                }),
+            };
+        }
+    }
+    let actionInput = call.args;
+    if (action.contextSchema) {
+        try {
+            actionInput = (0, schema_js_1.validateWithSchema)(action.contextSchema, call.args);
+        }
+        catch (err) {
+            return {
+                toolContent: baseComplete({
+                    status: 400,
+                    code: "invalid_input",
+                    message: err instanceof Error ? err.message : String(err),
+                }),
+            };
+        }
+    }
     const busyCfg = ctx.parentDeck.handlers?.onBusy ??
         ctx.parentDeck.handlers?.onInterval;
     const busyDelay = busyCfg?.delayMs ?? constants_js_1.DEFAULT_STATUS_DELAY_MS;
@@ -818,7 +3505,7 @@ async function handleToolCall(call, ctx) {
         try {
             const result = await runDeck({
                 path: action.path,
-                input: call.args,
+                input: actionInput,
                 modelProvider: ctx.modelProvider,
                 isRoot: false,
                 guardrails: ctx.guardrails,
@@ -830,7 +3517,19 @@ async function handleToolCall(call, ctx) {
                 trace: ctx.trace,
                 stream: ctx.stream,
                 onStreamText: ctx.onStreamText,
+                responsesMode: ctx.responsesMode,
                 initialUserMessage: undefined,
+                parentPermissions: ctx.permissions,
+                referencePermissions: action.permissions,
+                referencePermissionsBaseDir: path.dirname(ctx.parentDeck.path),
+                workspacePermissions: ctx.workspacePermissions,
+                workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+                sessionPermissions: ctx.sessionPermissions,
+                sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+                runDeadlineMs: ctx.runDeadlineMs,
+                workerSandbox: ctx.workerSandbox,
+                signal: ctx.signal,
+                onTool: ctx.onTool,
             });
             return { ok: true, result };
         }
@@ -862,7 +3561,17 @@ async function handleToolCall(call, ctx) {
                 trace: ctx.trace,
                 stream: ctx.stream,
                 onStreamText: ctx.onStreamText,
+                responsesMode: ctx.responsesMode,
                 initialUserMessage: undefined,
+                permissions: ctx.permissions,
+                workspacePermissions: ctx.workspacePermissions,
+                workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+                sessionPermissions: ctx.sessionPermissions,
+                sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+                runDeadlineMs: ctx.runDeadlineMs,
+                workerSandbox: ctx.workerSandbox,
+                signal: ctx.signal,
+                onTool: ctx.onTool,
             });
             if (envelope.length) {
                 extraMessages.push(...envelope.map(sanitizeMessage));
@@ -920,6 +3629,9 @@ async function handleToolCall(call, ctx) {
         throw childResult.error;
     }
     const normalized = normalizeChildResult(childResult.result);
+    if (action.responseSchema) {
+        normalized.payload = (0, schema_js_1.validateWithSchema)(action.responseSchema, normalized.payload);
+    }
     const toolContent = baseComplete(normalized);
     if (busyCfg?.path) {
         const elapsedFromAction = performance.now() - started;
@@ -941,7 +3653,17 @@ async function handleToolCall(call, ctx) {
                     trace: ctx.trace,
                     stream: ctx.stream,
                     onStreamText: ctx.onStreamText,
+                    responsesMode: ctx.responsesMode,
                     initialUserMessage: undefined,
+                    permissions: ctx.permissions,
+                    workspacePermissions: ctx.workspacePermissions,
+                    workspacePermissionsBaseDir: ctx.workspacePermissionsBaseDir,
+                    sessionPermissions: ctx.sessionPermissions,
+                    sessionPermissionsBaseDir: ctx.sessionPermissionsBaseDir,
+                    runDeadlineMs: ctx.runDeadlineMs,
+                    workerSandbox: ctx.workerSandbox,
+                    signal: ctx.signal,
+                    onTool: ctx.onTool,
                 });
                 if (envelope.length) {
                     extraMessages.push(...envelope.map(sanitizeMessage));
@@ -991,6 +3713,7 @@ function normalizeChildResult(result) {
 }
 async function runBusyHandler(args) {
     try {
+        ensureRunActive(args.runDeadlineMs, args.signal);
         const input = {
             kind: "busy",
             label: args.action.label ?? args.parentDeck.label,
@@ -1015,8 +3738,18 @@ async function runBusyHandler(args) {
             trace: args.trace,
             stream: args.stream,
             onStreamText: args.onStreamText,
+            responsesMode: args.responsesMode,
             initialUserMessage: args.initialUserMessage,
             inputProvided: true,
+            parentPermissions: args.permissions,
+            workspacePermissions: args.workspacePermissions,
+            workspacePermissionsBaseDir: args.workspacePermissionsBaseDir,
+            sessionPermissions: args.sessionPermissions,
+            sessionPermissionsBaseDir: args.sessionPermissionsBaseDir,
+            runDeadlineMs: args.runDeadlineMs,
+            workerSandbox: args.workerSandbox,
+            signal: args.signal,
+            onTool: args.onTool,
         });
         const elapsedMs = Math.floor(args.elapsedMs);
         let message;
@@ -1033,7 +3766,7 @@ async function runBusyHandler(args) {
         }
         if (!message)
             return [];
-        if (args.onStreamText) {
+        if (args.onStreamText && !args.signal?.aborted) {
             args.onStreamText(`${message}\n`);
         }
         else {
@@ -1093,6 +3826,16 @@ function createIdleController(args) {
                     trace: args.trace,
                     stream: args.stream,
                     onStreamText: args.onStreamText,
+                    responsesMode: args.responsesMode,
+                    permissions: args.permissions,
+                    workspacePermissions: args.workspacePermissions,
+                    workspacePermissionsBaseDir: args.workspacePermissionsBaseDir,
+                    sessionPermissions: args.sessionPermissions,
+                    sessionPermissionsBaseDir: args.sessionPermissionsBaseDir,
+                    runDeadlineMs: args.runDeadlineMs,
+                    workerSandbox: args.workerSandbox,
+                    signal: args.signal,
+                    onTool: args.onTool,
                 });
                 if (envelope.length)
                     args.pushMessages(envelope.map(sanitizeMessage));
@@ -1132,6 +3875,7 @@ function createIdleController(args) {
 }
 async function runIdleHandler(args) {
     try {
+        ensureRunActive(args.runDeadlineMs, args.signal);
         const input = {
             kind: "idle",
             label: args.deck.label,
@@ -1155,8 +3899,18 @@ async function runIdleHandler(args) {
             trace: args.trace,
             stream: args.stream,
             onStreamText: args.onStreamText,
+            responsesMode: args.responsesMode,
             initialUserMessage: undefined,
             inputProvided: true,
+            parentPermissions: args.permissions,
+            workspacePermissions: args.workspacePermissions,
+            workspacePermissionsBaseDir: args.workspacePermissionsBaseDir,
+            sessionPermissions: args.sessionPermissions,
+            sessionPermissionsBaseDir: args.sessionPermissionsBaseDir,
+            runDeadlineMs: args.runDeadlineMs,
+            workerSandbox: args.workerSandbox,
+            signal: args.signal,
+            onTool: args.onTool,
         });
         const elapsedMs = Math.floor(args.elapsedMs);
         let message;
@@ -1173,7 +3927,7 @@ async function runIdleHandler(args) {
         }
         if (!message)
             return [];
-        if (args.onStreamText) {
+        if (args.onStreamText && !args.signal?.aborted) {
             args.onStreamText(`${message}\n`);
         }
         else {
@@ -1192,6 +3946,7 @@ async function maybeHandleError(args) {
     const handlerPath = args.ctx.parentDeck.handlers?.onError?.path;
     if (!handlerPath)
         return undefined;
+    ensureRunActive(args.ctx.runDeadlineMs, args.ctx.signal);
     const message = args.err instanceof Error
         ? args.err.message
         : String(args.err);
@@ -1220,8 +3975,18 @@ async function maybeHandleError(args) {
             trace: args.ctx.trace,
             stream: args.ctx.stream,
             onStreamText: args.ctx.onStreamText,
+            responsesMode: args.ctx.responsesMode,
             initialUserMessage: undefined,
             inputProvided: true,
+            parentPermissions: args.ctx.permissions,
+            workspacePermissions: args.ctx.workspacePermissions,
+            workspacePermissionsBaseDir: args.ctx.workspacePermissionsBaseDir,
+            sessionPermissions: args.ctx.sessionPermissions,
+            sessionPermissionsBaseDir: args.ctx.sessionPermissionsBaseDir,
+            runDeadlineMs: args.ctx.runDeadlineMs,
+            workerSandbox: args.ctx.workerSandbox,
+            signal: args.ctx.signal,
+            onTool: args.ctx.onTool,
         });
         const parsed = typeof handlerOutput === "object" && handlerOutput !== null
             ? handlerOutput
@@ -1345,8 +4110,173 @@ function sanitizeMessage(msg) {
         : undefined;
     return { ...msg, tool_calls: toolCalls };
 }
-async function buildToolDefs(deck) {
+function resolveToolPath(baseDir, rawPath) {
+    if (typeof rawPath !== "string" || rawPath.trim().length === 0) {
+        throw new Error("path is required");
+    }
+    return path.resolve(baseDir, rawPath);
+}
+function parseLineRange(args) {
+    const startLine = Number.isInteger(args.start_line)
+        ? Math.max(1, Number(args.start_line))
+        : 1;
+    const endLine = Number.isInteger(args.end_line)
+        ? Math.max(startLine, Number(args.end_line))
+        : startLine + 399;
+    return { startLine, endLine };
+}
+function parseToolLimit(value, fallback, max) {
+    if (!Number.isInteger(value))
+        return fallback;
+    return Math.min(max, Math.max(1, Number(value)));
+}
+function toStringArray(value) {
+    if (!Array.isArray(value))
+        return [];
+    return value.filter((entry) => typeof entry === "string");
+}
+function hasAnyScope(scope) {
+    return scope.all || scope.values.size > 0;
+}
+function hasAnyRunScope(scope) {
+    return scope.all || scope.paths.size > 0 || scope.commands.size > 0;
+}
+function isBuiltinTool(name) {
+    return BUILTIN_TOOL_NAMES.has(name);
+}
+function applySimplePatch(content, edits) {
+    let next = content;
+    let applied = 0;
+    for (const edit of edits) {
+        const oldText = edit.oldText ?? "";
+        const newText = edit.newText ?? "";
+        if (!oldText)
+            continue;
+        if (edit.replaceAll) {
+            if (!next.includes(oldText))
+                continue;
+            next = next.split(oldText).join(newText);
+            applied++;
+            continue;
+        }
+        const idx = next.indexOf(oldText);
+        if (idx === -1)
+            continue;
+        next = `${next.slice(0, idx)}${newText}${next.slice(idx + oldText.length)}`;
+        applied++;
+    }
+    return { next, applied };
+}
+async function buildToolDefs(deck, permissions) {
     const defs = [];
+    const addBuiltinTools = () => {
+        if (hasAnyScope(permissions.read)) {
+            defs.push({
+                type: "function",
+                function: {
+                    name: BUILTIN_TOOL_READ_FILE,
+                    description: "Read a UTF-8 text file.",
+                    parameters: {
+                        type: "object",
+                        properties: {
+                            path: { type: "string" },
+                            start_line: { type: "number" },
+                            end_line: { type: "number" },
+                        },
+                        required: ["path"],
+                        additionalProperties: false,
+                    },
+                },
+            }, {
+                type: "function",
+                function: {
+                    name: BUILTIN_TOOL_LIST_DIR,
+                    description: "List directory entries.",
+                    parameters: {
+                        type: "object",
+                        properties: {
+                            path: { type: "string" },
+                            recursive: { type: "boolean" },
+                            max_entries: { type: "number" },
+                        },
+                        required: ["path"],
+                        additionalProperties: false,
+                    },
+                },
+            }, {
+                type: "function",
+                function: {
+                    name: BUILTIN_TOOL_GREP_FILES,
+                    description: "Search text files using a regular expression.",
+                    parameters: {
+                        type: "object",
+                        properties: {
+                            path: { type: "string" },
+                            query: { type: "string" },
+                            max_matches: { type: "number" },
+                        },
+                        required: ["path", "query"],
+                        additionalProperties: false,
+                    },
+                },
+            });
+        }
+        if (hasAnyScope(permissions.write)) {
+            defs.push({
+                type: "function",
+                function: {
+                    name: BUILTIN_TOOL_APPLY_PATCH,
+                    description: "Apply text replacements to a file using old/new edit pairs.",
+                    parameters: {
+                        type: "object",
+                        properties: {
+                            path: { type: "string" },
+                            create_if_missing: { type: "boolean" },
+                            edits: {
+                                type: "array",
+                                items: {
+                                    type: "object",
+                                    properties: {
+                                        old_text: { type: "string" },
+                                        new_text: { type: "string" },
+                                        replace_all: { type: "boolean" },
+                                    },
+                                    required: ["old_text", "new_text"],
+                                    additionalProperties: false,
+                                },
+                            },
+                        },
+                        required: ["path", "edits"],
+                        additionalProperties: false,
+                    },
+                },
+            });
+        }
+        if (hasAnyRunScope(permissions.run)) {
+            defs.push({
+                type: "function",
+                function: {
+                    name: BUILTIN_TOOL_EXEC,
+                    description: "Run an allowed command with optional args.",
+                    parameters: {
+                        type: "object",
+                        properties: {
+                            command: { type: "string" },
+                            args: {
+                                type: "array",
+                                items: { type: "string" },
+                            },
+                            cwd: { type: "string" },
+                            timeout_ms: { type: "number" },
+                        },
+                        required: ["command"],
+                        additionalProperties: false,
+                    },
+                },
+            });
+        }
+    };
+    addBuiltinTools();
     if (deck.allowEnd) {
         defs.push({
             type: "function",
@@ -1388,9 +4318,15 @@ async function buildToolDefs(deck) {
         });
     }
     for (const action of deck.actionDecks) {
-        const child = await (0, loader_js_1.loadDeck)(action.path, deck.path);
-        ensureSchemaPresence(child, false);
-        const schema = child.inputSchema;
+        if (isBuiltinTool(action.name)) {
+            throw new Error(`Action name ${action.name} conflicts with a built-in tool name`);
+        }
+        let schema = action.contextSchema;
+        if (!schema) {
+            const child = await (0, loader_js_1.loadDeck)(action.path, deck.path);
+            ensureSchemaPresence(child, false);
+            schema = resolveContextSchema(child);
+        }
         const params = (0, schema_js_1.toJsonSchema)(schema);
         defs.push({
             type: "function",
@@ -1401,5 +4337,23 @@ async function buildToolDefs(deck) {
             },
         });
     }
+    const actionNames = new Set(deck.actionDecks.map((action) => action.name));
+    for (const external of deck.tools) {
+        if (actionNames.has(external.name))
+            continue;
+        if (isBuiltinTool(external.name)) {
+            throw new Error(`External tool name ${external.name} conflicts with a built-in tool name`);
+        }
+        defs.push({
+            type: "function",
+            function: {
+                name: external.name,
+                description: external.description,
+                parameters: external.inputSchema
+                    ? (0, schema_js_1.toJsonSchema)(external.inputSchema)
+                    : { type: "object", additionalProperties: true },
+            },
+        });
+    }
     return defs;
 }