feat(cli): kill-switch p3 wasi:filesystem when fs policy is active

p3 guests can't be matcher-gated per path op — Dir::open_at and
as_dir are pub(crate) in wasmtime-wasi, and HostDescriptorWithStore's
U: Send bound blocks the Accessor reprojection we'd need to delegate
to the default WasiFilesystem impl.

Shadow only p3 wasi:filesystem/preopens. When FsConfig.mode != Open,
get_directories returns an empty vec so p3 guests can't obtain a
Descriptor::Dir at all and every path op fails at the default impl.
Open mode continues to expose the full preopen list. p2 gating via
the FsMatcher is unchanged.

Author: GamePad64

act-cli/src/runtime/fs_policy.rs

@@ -133,6 +133,11 @@ pub struct PolicyFilesystemCtxView<'a> {
     pub table: &'a mut ResourceTable,
     pub matcher: &'a FsMatcher,
     pub fd_paths: &'a mut FdPathMap,
+    /// Configured mode; drives the p3 preopens kill-switch. p3 path-taking
+    /// ops can't be gated (upstream `Dir::open_at` is `pub(crate)`), so when
+    /// mode is anything but `Open` we return zero preopens from p3 and p3
+    /// guests can't acquire a `Descriptor::Dir` handle at all.
+    pub mode: PolicyMode,
 }
 
 /// Tracks the host path associated with each open filesystem descriptor,
@@ -476,6 +481,44 @@ impl HostDescriptor for PolicyFilesystemCtxView<'_> {
     }
 }
 
+// ── p3 preopens kill-switch ───────────────────────────────────────────────
+//
+// We can't mirror the full p2 matcher on p3 because `Dir::open_at` and
+// friends are `pub(crate)` in wasmtime-wasi — shadowing `HostDescriptorWithStore`
+// would need to reproject the Accessor via a `U: WasiFilesystemView` bound
+// that the trait doesn't permit, and the sibling methods we'd need to call
+// directly (`dir.open_at`, `dir.as_dir`) are gated.
+//
+// Instead we gate at preopens: if fs mode is anything other than `Open`,
+// p3 `get_directories` returns an empty vec. A p3 guest with an empty
+// preopen list can't construct a `Descriptor::Dir` resource, so every
+// p3 path op fails before it reaches cap-std. Components that genuinely
+// need p3 filesystem access must run under `policy.filesystem = "open"`.
+
+impl wasmtime_wasi::p3::bindings::filesystem::preopens::Host for PolicyFilesystemCtxView<'_> {
+    fn get_directories(
+        &mut self,
+    ) -> wasmtime::Result<
+        Vec<(
+            Resource<wasmtime_wasi::p3::bindings::filesystem::types::Descriptor>,
+            String,
+        )>,
+    > {
+        if self.mode != PolicyMode::Open {
+            tracing::warn!(
+                mode = ?self.mode,
+                "p3 wasi:filesystem/preopens: returning empty; p3 path ops can't be matcher-gated",
+            );
+            return Ok(vec![]);
+        }
+        let mut inner = WasiFilesystemCtxView {
+            ctx: self.ctx,
+            table: self.table,
+        };
+        <WasiFilesystemCtxView as wasmtime_wasi::p3::bindings::filesystem::preopens::Host>::get_directories(&mut inner)
+    }
+}
+
 // ── HostDirectoryEntryStream ──────────────────────────────────────────────
 
 impl HostDirectoryEntryStream for PolicyFilesystemCtxView<'_> {

act-cli/src/runtime/mod.rs

@@ -31,6 +31,7 @@ pub struct HostState {
     #[allow(dead_code)] // retained for Task 10 DNS resolver hook access
     http_client: std::sync::Arc<crate::runtime::http_client::ActHttpClient>,
     fs_matcher: crate::runtime::fs_matcher::FsMatcher,
+    fs_mode: crate::config::PolicyMode,
     fd_paths: crate::runtime::fs_policy::FdPathMap,
 }
 
@@ -42,6 +43,7 @@ impl HostState {
             table: &mut self.table,
             matcher: &self.fs_matcher,
             fd_paths: &mut self.fd_paths,
+            mode: self.fs_mode,
         }
     }
 }
@@ -115,6 +117,18 @@ pub fn create_linker(engine: &Engine) -> Result<Linker<HostState>> {
     // Add P3 bindings on top
     wasmtime_wasi::p3::add_to_linker(&mut linker)
         .map_err(|e| anyhow::anyhow!("failed to add WASI P3 to linker: {e}"))?;
+    // Shadow only the p3 preopens interface. When fs mode ≠ Open, our impl
+    // returns zero preopens → p3 guests can't obtain a Descriptor::Dir and
+    // every path op fails. Matcher-level gating on individual p3 path ops
+    // isn't possible with current wasmtime-wasi public API (Dir::open_at
+    // is `pub(crate)`).
+    linker.allow_shadowing(true);
+    wasmtime_wasi::p3::bindings::filesystem::preopens::add_to_linker::<
+        HostState,
+        crate::runtime::fs_policy::PolicyFilesystem,
+    >(&mut linker, |t| t.policy_fs_view())
+    .map_err(|e| anyhow::anyhow!("failed to add policy wasi:filesystem/preopens (p3): {e}"))?;
+    linker.allow_shadowing(false);
     // Add WASI HTTP bindings (P2 for wasm32-wasip2 components, P3 for async)
     wasmtime_wasi_http::p2::add_only_http_to_linker_async(&mut linker)
         .map_err(|e| anyhow::anyhow!("failed to add WASI HTTP P2 to linker: {e}"))?;
@@ -167,6 +181,7 @@ pub fn create_store(
         ),
         http_client,
         fs_matcher: matcher,
+        fs_mode: fs.mode,
         fd_paths: crate::runtime::fs_policy::FdPathMap {
             preopens: preopen_pairs,
             by_rep: Default::default(),