feat(python): support vfs-backed open

README.md

@@ -341,17 +341,17 @@ bash.exec("python3 -c \"print(2 ** 10)\"").await?;
 // Script files from VFS
 bash.exec("python3 /tmp/script.py").await?;
 
-// VFS bridging: pathlib.Path operations work with the virtual filesystem
+// VFS bridging: open() and pathlib.Path work with the virtual filesystem
 bash.exec(r#"python3 -c "
-from pathlib import Path
-Path('/tmp/data.txt').write_text('hello from python')
+with open('/tmp/data.txt', 'w') as f:
+    f.write('hello from python')
 ""#).await?;
 bash.exec("cat /tmp/data.txt").await?; // "hello from python"
 ```
 
 Stdlib modules: `math`, `pathlib`, `os` (getenv/environ), `sys`, `typing`.
 Security note: `re` is intentionally disabled due to regex backtracking DoS risk.
-Limitations: no `open()` (use `pathlib.Path`), no network, no classes, no third-party imports.
+Limitations: file I/O is VFS-scoped, no network, no classes, no third-party imports.
 See [crates/bashkit/docs/python.md](crates/bashkit/docs/python.md) for the full guide.
 
 ## Experimental: TypeScript Support

crates/bashkit/Cargo.toml

@@ -98,7 +98,7 @@ unit-prefix = "0.5"
 os_display = "0.1.3"
 
 # Embedded Python interpreter (optional)
-monty = { git = "https://github.com/pydantic/monty", rev = "49faa4c", optional = true }
+monty = { git = "https://github.com/pydantic/monty", rev = "9b5f478", optional = true }
 
 # Embedded TypeScript interpreter (optional)
 zapcode-core = { version = "1.5", optional = true }

crates/bashkit/docs/hooks.md

@@ -243,7 +243,7 @@ boundary stays in bashkit — hooks cannot bypass the allowlist.
 
 ### `before_http` — Filter or Modify Requests
 
-```rust
+```rust,ignore
 use bashkit::{Bash, NetworkAllowlist, hooks::{HookAction, HttpRequestEvent}};
 
 # fn main() {
@@ -266,7 +266,7 @@ let bash = Bash::builder()
 
 ### `after_http` — Observe Responses
 
-```rust
+```rust,ignore
 use bashkit::{Bash, NetworkAllowlist, hooks::{HookAction, HttpResponseEvent}};
 use std::sync::{Arc, Mutex};
 

crates/bashkit/docs/python.md

@@ -73,16 +73,15 @@ echo "print('piped')" | python3
 
 ## Virtual Filesystem (VFS) Bridging
 
-Python `pathlib.Path` operations are bridged to Bashkit's virtual filesystem.
-Files created by bash are readable from Python and vice versa.
+Python `open()` and `pathlib.Path` operations are bridged to Bashkit's virtual
+filesystem. Files created by bash are readable from Python and vice versa.
 
 ### Bash → Python
 
 ```bash
 echo "important data" > /tmp/shared.txt
 python3 -c "
-from pathlib import Path
-content = Path('/tmp/shared.txt').read_text()
+content = open('/tmp/shared.txt').read()
 print(f'Got: {content.strip()}')
 "
 ```
@@ -91,16 +90,20 @@ print(f'Got: {content.strip()}')
 
 ```bash
 python3 -c "
-from pathlib import Path
-_ = Path('/tmp/result.txt').write_text('computed by python\n')
+with open('/tmp/result.txt', 'w') as f:
+    _ = f.write('computed by python\n')
 "
 cat /tmp/result.txt
 ```
 
-### Supported Path Operations
+### Supported File Operations
 
 | Operation | Example |
 |-----------|---------|
+| Open/read | `open('f.txt').read()` |
+| Open/write | `open('f.txt', 'w').write('data')` |
+| Open/append | `open('f.txt', 'a').write('more')` |
+| Path open | `Path('f.txt').open('r')` |
 | Read text | `Path('f.txt').read_text()` |
 | Read bytes | `Path('f.txt').read_bytes()` |
 | Write text | `Path('f.txt').write_text('data')` |
@@ -117,7 +120,7 @@ cat /tmp/result.txt
 ### Architecture
 
 ```text
-Python code → Monty VM → OsCall(ReadText, path) → Bashkit VFS → resume
+Python code → Monty VM → OsCall(Open/ReadText, path) → Bashkit VFS → resume
 ```
 
 Monty pauses at filesystem operations, Bashkit bridges them to the VFS, then
@@ -169,19 +172,20 @@ let help = tool.help();  // Includes a Markdown Notes section with Python hints
 ```
 
 The builtin's `llm_hint()` is automatically included in the tool's documentation,
-so LLMs know not to generate code using `open()`, HTTP requests, or classes.
+so LLMs know file I/O is VFS-scoped and HTTP requests/classes are unavailable.
 
 ## Limitations
 
-**No `open()` builtin.** Monty does not implement Python's `open()`. Use `pathlib.Path` instead:
+**VFS-only file I/O.** `open()` and `pathlib.Path` read/write Bashkit's virtual
+filesystem, not the host filesystem:
 
 ```python
-# Won't work:
-# f = open('data.txt')
-
-# Use instead:
 from pathlib import Path
-content = Path('data.txt').read_text()
+
+with open('/tmp/data.txt', 'w') as f:
+    f.write('hello')
+
+content = Path('/tmp/data.txt').read_text()
 ```
 
 **No HTTP/network.** No `socket`, `urllib`, `requests`, or `http.client` modules.

crates/bashkit/docs/threat-model.md

@@ -554,15 +554,15 @@ attacks:
 ### Python / Monty Security (TM-PY-*)
 
 The `python`/`python3` builtins embed the Monty Python interpreter with VFS bridging.
-Python `pathlib.Path` operations are bridged to Bashkit's virtual filesystem.
+Python `pathlib.Path` and `open()` operations are bridged to Bashkit's virtual filesystem.
 
 | Threat | Attack Example | Mitigation | Status |
 |--------|---------------|------------|--------|
 | Infinite loop (TM-PY-001) | `while True: pass` | Monty time limit (30s) + allocation cap | MITIGATED |
 | Memory exhaustion (TM-PY-002) | Large allocation | Monty max_memory (64MB) + max_allocations (1M) | MITIGATED |
 | Stack overflow (TM-PY-003) | Deep recursion | Monty max_recursion (200) | MITIGATED |
 | Shell escape (TM-PY-004) | `os.system()` | Monty has no os.system/subprocess | MITIGATED |
-| Real FS access (TM-PY-005) | `open()` | Monty has no open() builtin | MITIGATED |
+| Real FS access (TM-PY-005) | `open()` | VFS bridge opens only Bashkit VFS files | MITIGATED |
 | Error info leak (TM-PY-006) | Errors go to stdout | Errors go to stderr, not stdout | MITIGATED |
 | Real FS read (TM-PY-015) | `Path.read_text()` | VFS bridge reads only from Bashkit VFS | MITIGATED |
 | Real FS write (TM-PY-016) | `Path.write_text()` | VFS bridge writes only to Bashkit VFS | MITIGATED |