feat(gateway): add runtime settings file

[TaylorMutch]

Summary

Add a gateway runtime settings file that Kubernetes deployments can mount and update as an authoritative source for selected runtime-level gateway settings without restarting the gateway.

The runtime file is referenced from gateway.toml, reconciled into the existing gateway-global settings record, and watched for changes. Keys present in the file are file-managed; omitted keys continue to use the stored global value, or remain unset if no stored value exists.

Related Issue

N/A - requested directly.

Changes

• Add optional runtime_config_path to gateway startup TOML.
• Add a runtime settings parser, validator, startup reconciler, and file watcher.
• Persist runtime file values through the existing global settings record so sandbox config revision flow remains unchanged.
• Treat keys present in the runtime file as file-managed and reject settings set/delete --global for those keys.
• Add Helm server.runtimeConfig.* values, a separate runtime ConfigMap template, mounts, chart tests, and a reusable ci/values-runtime-config.yaml overlay.
• Document runtime config behavior in gateway reference docs and architecture notes.

Testing

• mise run pre-commit
• cargo test -p openshell-server runtime_config -- --nocapture
• cargo test -p openshell-server gateway_config_uses_stored_global_settings_when_no_runtime_file_is_configured -- --nocapture
• mise run helm:test
• mise run helm:docs:check
• helm lint deploy/helm/openshell -f deploy/helm/openshell/ci/values-runtime-config.yaml
• helm template openshell deploy/helm/openshell -n openshell -f deploy/helm/openshell/ci/values-skaffold.yaml -f deploy/helm/openshell/ci/values-runtime-config.yaml
• Local k3d/Skaffold deploy with runtime config enabled:
  • mise run helm:k3s:create
  • KUBECONFIG=kubeconfig mise run helm:skaffold:run
  • helm upgrade openshell deploy/helm/openshell -n openshell --reuse-values -f deploy/helm/openshell/ci/values-runtime-config.yaml
  • Verified rendered openshell-runtime-config ConfigMap and runtime_config_path.
  • Verified gateway logs runtime config file applied.
  • Verified providers_v2_enabled=true is exposed via openshell settings get --global.
  • Verified openshell settings set --global --key providers_v2_enabled --value false is rejected while file-managed.
  • Verified omitted ocsf_json_enabled remained DB-backed and mutable.
  • Verified adding ocsf_json_enabled=true to the runtime ConfigMap propagated through the watcher without pod restart, advanced settings revision, logged runtime config file reloaded, and then rejected global updates for that key.

Checklist

• Follows Conventional Commits
• Commit is signed off (DCO)
• Documentation updated

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1920.docs.buildwithfern.com/openshell

[elezar]

Question: Where are the registered keys defined? I was expecting an explicit struct that is unmarshalled from TOML. In Go one would add tags to the struct fields that define the toml entries. Is that possible in Rust?

[TaylorMutch]

These are the same keys as defined by the API spec (I'm clarifying the language here). I will check for existing runtime config docs and link to that.

[github-actions]

Label test:e2e applied for db63140. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.