Add explicit OpenProse context envelope

[rawwerks]

Summary

This adds an explicit worker-frame context boundary for OpenProse runs.

• Defines ### Context as a service-local, read-only allow-list separate from ### Requires.
• Adds a VM-authored worker launch envelope so runs can prove what context was sent to each worker.
• Updates the session/runtime/filesystem/Forme docs so missing context fails closed instead of falling back to ambient parent context.
• Updates CLI bootstrap behavior so forwarded Codex and Claude Code harness runs honor the active PROSE_OPENPROSE_ROOT, activation id, and explicit OpenProse skill-root override.

Why This Shape

### Requires and ### Context now have different jobs.

### Requires is the task interface: values the service needs in order to run.

### Context is a read-only background allow-list: material the VM is allowed to place inside that worker frame. If requested context is missing, the worker should fail closed or produce missing-context evidence instead of reconstructing it from ambient parent context.

That gives OpenProse a cleaner boundary for multi-agent systems: the parent can have broad context, private scratch, sibling outputs, and operational details, while each worker receives only the task, declared inputs, declared context, workspace path, and output instructions it needs.

To make that boundary auditable, the VM writes a worker launch envelope before spawning a worker. The envelope records what classes of input were included and which classes were intentionally absent. This is stronger than relying only on the worker's final answer, because it captures the launch boundary before the model runs.

Validation

The committed CLI tests cover the public contract surface: ### Context documentation, worker-launch-envelope documentation, active-root bootstrap instructions, shared Codex/Claude Code harness routing, explicit skill-root overrides, and fail-closed invalid override behavior.

In addition to those committed checks, I tested the shape with a local context-boundary run that deliberately mixed safe context with private parent-only material.

The run checked that:

• the worker received the declared context binding;
• the worker did not receive raw parent context;
• the worker did not receive sibling outputs or undeclared context;
• missing requested context failed closed instead of being invented;
• worker-visible outputs contained the expected missing-context evidence;
• private markers stayed out of worker-visible artifacts;
• the worker launch envelope was runtime-authored and matched the declared context file by digest.

I also ran polarity controls for the envelope rule:

• no envelope is treated as unproven;
• a valid envelope passes;
• an envelope containing disallowed context fails.

Those checks are why this PR uses both a declared ### Context section and a launch envelope: the section expresses intent, and the envelope proves what actually crossed the worker boundary.

The CLI bootstrap path is shared by the Codex and Claude Code harness adapters. This PR updates that shared path so forwarded runs receive the active OpenProse root, activation id, and skill-root override consistently. The focused CLI tests cover both harness routing and the shared bootstrap contract; the local runtime proof exercised the Codex harness path.

Local Checks

• vitest --run tests/skills/open-prose.test.ts
• tsc -p tsconfig.json --noEmit
• tsc -p tsconfig.build.json
• scoped ubs scan on changed files