Skip to content

feat(gateway): add operation interceptors#1936

Draft
drew wants to merge 1 commit into
mainfrom
gateway-interceptor-impl
Draft

feat(gateway): add operation interceptors#1936
drew wants to merge 1 commit into
mainfrom
gateway-interceptor-impl

Conversation

@drew

@drew drew commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implement RFC 0006 gateway operation interceptors and add a policy governance example interceptor that vends a default sandbox policy, governs GitHub/GitLab providers, and signs the vendored policy digest with an internal JWT workflow.

Related Issue

RFC 0006

Changes

  • Add the interceptor proto, runtime crate, endpoint parsing, manifest validation, selector matching, failure policy behavior, patch handling, metrics, and gateway config support.
  • Wire interceptor phases into sandbox, provider, provider profile, policy, and config write paths with credential redaction and secret-field patch rejection.
  • Add docs for gateway interceptor configuration and architecture behavior.
  • Add examples/policy-governance-interceptor with policy vending, provider lockdown, signature labels, JWT signing/verification, and an end-to-end smoke script.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated

Manual verification run locally:

  • cargo fmt --all
  • bash -n examples/policy-governance-interceptor/smoke.sh
  • cargo test -p policy-governance-interceptor --message-format=short
  • bash examples/policy-governance-interceptor/smoke.sh
  • env CC=clang CXX=clang++ RUSTC_WRAPPER= cargo test -p openshell-interceptors -p openshell-server -p policy-governance-interceptor --features openshell-server/test-support,openshell-server/gh-release-z3 --message-format=short

mise run pre-commit was attempted twice locally. The default run failed because aws-lc-sys picked up /opt/homebrew/bin/gcc-15 and failed against the macOS SDK block syntax. The clang rerun got past that but failed because local z3.h is not installed. The focused Rust verification above uses openshell-server/gh-release-z3, matching the smoke build path.

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@copy-pr-bot

copy-pr-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

🌿 Preview your docs: https://nvidia-preview-pr-1936.docs.buildwithfern.com/openshell

@drew drew force-pushed the gateway-interceptor-impl branch 2 times, most recently from 7b79fcb to aa69ab9 Compare June 16, 2026 20:45
@drew
feat(gateway): add operation interceptors
efd8bef 
Signed-off-by: Drew Newberry <anewberry@nvidia.com>
@drew drew force-pushed the gateway-interceptor-impl branch from aa69ab9 to efd8bef Compare June 16, 2026 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp will be requested when the pull request is marked ready for review mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion will be requested when the pull request is marked ready for review maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr will be requested when the pull request is marked ready for review derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@drew