fix: validate ls special permission bits by position

[matthewflint]

Summary

• Allow Permissions.from_str() to parse valid ls -l special execute-column markers: s/S for owner and group, and t/T for other.
• Preserve the modeled execute bit for lowercase s/t; ignore the special bit itself because Permissions currently stores only rwx bits.
• Keep validation position-aware so invalid cross-position markers, such as t in owner/group or s in other, are rejected.
• Add regression coverage through parse_ls_la() for sticky directories, setuid/setgid-style entries, and invalid special-bit positions.

Test plan

• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 uv run pytest tests/sandbox/test_parse_utils.py
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 uv run ruff check src/agents/sandbox tests/sandbox
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 uv run pyright
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 make format
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 make lint
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 make typecheck
• UV_CACHE_DIR=/tmp/uv-cache UV_PROJECT_ENVIRONMENT=/tmp/openai-pr3420-venv UV_PYTHON=3.12.13 make tests

Issue number

N/A

Checks

• I've added new tests
• Documentation update is not needed for this parser-only bugfix
• I've made sure the focused sandbox parser test, Ruff, and Pyright pass
• I've run make format, make lint, make typecheck, and make tests

[seratch]

Thanks for fixing this. One small tightening suggestion: can we make the special execute-column handling position-aware?

ls -l only emits s/S in the owner and group execute columns, and t/T in the other execute column. The current generic triplet parser accepts t/T for owner/group and s/S for other, which should not appear in real ls output.

I think the behavior would be easier to defend if we kept the current rwx-only model but validated the special characters by position:

• owner: allow x, s, S, -
• group: allow x, s, S, -
• other: allow x, t, T, -

Could you also add regression coverage for rejecting the invalid cross-position cases?

[matthewflint]

@seratch thanks for the catch. I pushed an update that makes this validation position-aware now.

Owner and group accept x, s, S, and -; other accepts x, t, T, and -. Lowercase s/t still maps to the modeled execute bit, uppercase S/T parses without execute, and cross-position markers are rejected.

I also added regression coverage through parse_ls_la() for the invalid s/S/t/T positions and reran the parser test, Ruff, Pyright, and the repo checks listed in the PR body.