Conversation
|
🌿 Preview your docs: https://nvidia-preview-pr-853.docs.buildwithfern.com/openshell |
drew
force-pushed
the
drew/os-85-release-standalone-openshell-gateway-binary-from-openshell
branch
from
e7ceb9c to
9106a0e
Compare
Signed-off-by: Drew Newberry <anewberry@nvidia.com>
drew
force-pushed
the
drew/os-85-release-standalone-openshell-gateway-binary-from-openshell
branch
from
9106a0e to
a48cad6
Compare
TaylorMutch
previously approved these changes
Apr 16, 2026
- Add build-supervisor-binary-linux job for amd64/arm64 standalone binaries - Add supervisor Docker image target to Dockerfile.images - Add build-supervisor docker build job and GHCR tagging - Wire supervisor artifacts into GitHub Release (tarballs + checksums) - Remove unnecessary workspace scoping sed from CLI and gateway builds
Mirror release-tag changes: build supervisor Docker image, standalone Linux binaries (amd64/arm64), GHCR dev tagging, checksums, and release assets. Also remove unnecessary workspace scoping sed from CLI and gateway builds.
TaylorMutch
previously approved these changes
Apr 16, 2026
Remove the separate openshell-gateway binary entrypoint. The openshell-server crate now produces a single binary (openshell-server) from src/main.rs. Simplify cli.rs by removing the program_name parameter. Rename standalone release artifacts from openshell-gateway-* to openshell-server-*. Rename Dockerfile.gateway-macos to Dockerfile.server-macos. Remove unused docker:build:supervisor task alias.
This reverts commit 4fa37c7.
Remove the separate openshell-server binary entrypoint. The openshell-server crate now produces a single binary (openshell-gateway) from src/main.rs. Simplify cli.rs by removing the program_name parameter. Update Dockerfile.images and Dockerfile.gateway-macos to remove bin/ skeleton stubs. Update container ENTRYPOINT to openshell-gateway. Remove unused docker:build:supervisor task alias.
…eway-macos syntax The docker-build.yml reusable workflow invokes mise tasks via docker:build:$component, so the supervisor alias is required. Also fix a missing && separator in the Dockerfile.gateway-macos mkdir/touch skeleton stage that caused the server src dir to not be created.
drew
force-pushed
the
drew/os-85-release-standalone-openshell-gateway-binary-from-openshell
branch
from
abf1703 to
ee99416
Compare
drew
deleted the
drew/os-85-release-standalone-openshell-gateway-binary-from-openshell
branch
4 tasks
ericksoa
pushed a commit
to NVIDIA/NemoClaw
that referenced
this pull request
Apr 23, 2026
## Summary Bumps the pinned OpenShell version range from `0.0.29` → `0.0.32` so fresh NemoClaw installs pick up sandbox hardening and TLS improvements from the last three OpenShell releases. ## Notable upstream changes **0.0.30** ([NVIDIA/OpenShell@v0.0.29...v0.0.30](NVIDIA/OpenShell@v0.0.29...v0.0.30)) - Network policy deny rules ([OpenShell#822](NVIDIA/OpenShell#822)) - Preserve ownership on existing `read_write` paths ([OpenShell#827](NVIDIA/OpenShell#827)) - Disable child core dumps ([OpenShell#821](NVIDIA/OpenShell#821)) - Escape control characters in SSE error formatting ([OpenShell#842](NVIDIA/OpenShell#842)) - Fix silent truncation of large streaming inference responses ([OpenShell#834](NVIDIA/OpenShell#834)) **0.0.31** ([NVIDIA/OpenShell@v0.0.30...v0.0.31](NVIDIA/OpenShell@v0.0.30...v0.0.31)) - Inference routed-request header allowlist ([OpenShell#826](NVIDIA/OpenShell#826)) **0.0.32** ([NVIDIA/OpenShell@v0.0.31...v0.0.32](NVIDIA/OpenShell@v0.0.31...v0.0.32)) - **Load system CA certificates for upstream TLS connections** ([OpenShell#862](NVIDIA/OpenShell#862)) - Publish standalone `openshell-gateway` binaries ([OpenShell#853](NVIDIA/OpenShell#853)) ## Changes - `nemoclaw-blueprint/blueprint.yaml`: `min_openshell_version` and `max_openshell_version` → `0.0.32` - `scripts/install-openshell.sh`: `MIN_VERSION` and `MAX_VERSION` → `0.0.32` (`PIN_VERSION` follows `MAX`) - `scripts/brev-launchable-ci-cpu.sh`: default `OPENSHELL_VERSION` → `v0.0.32` - `src/lib/onboard.ts`: blueprint-fallback min version → `0.0.32` - `test/onboard.test.ts`, `test/install-openshell-version-check.test.ts`: fixtures updated; "above MAX" test case moved from `0.0.30` to `0.0.33` Historical `m-dev` comments referencing `0.0.29` left in place — they describe a self-report quirk the sidecar fallback still handles. ## Why not 0.0.33+? `0.0.34` introduced incremental sandbox policy updates and L7 request-target canonicalization — changes with larger surface area against how NemoClaw delivers policy via gRPC. Worth a follow-up PR rather than bundling here. `0.0.35` released hours before this PR was cut — too fresh. ## Type of Change - [x] Code change for a new feature, bug fix, or refactor. ## Testing - [x] `npx vitest run test/install-openshell-version-check.test.ts` — 9 passed - [x] pre-commit hooks (prek) clean: shellcheck, commitlint, gitleaks, YAML validator, CLI test suite - [ ] Nightly E2E on this branch — will be kicked off after PR opens ## Notes - No user-facing CLI behavior changes — just the pinned version range. - Two pre-existing failures in `test/onboard.test.ts` reproduce on clean `main` and are unrelated to this bump. Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated OpenShell version constraints and default pinned version to v0.0.32 across configuration, install, and onboarding flows. * **Tests** * Updated test fixtures and expectations to match the new OpenShell version (v0.0.32). <!-- end of auto-generated comment: release notes by coderabbit.ai --> Signed-off-by: Prekshi Vyas <prekshiv@nvidia.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
FloHofstetter
added a commit
to FloHofstetter/shoreguard
that referenced
this pull request
Apr 23, 2026
…pin bump) Re-verified parity against NVIDIA/OpenShell v0.0.32 and origin/main@e39bb380. All four upstream .proto files are byte-identical across v0.0.30 → v0.0.32 → origin/main, so the generated stubs remain wire-parity without regeneration. Docs bumped from v0.0.26 to v0.0.32 as the recommended pin. Added a routed-inference admonition for the upstream header sanitization added in NVIDIA/OpenShell#826 and an installation tip about the standalone openshell-gateway binary published in NVIDIA/OpenShell#853. Internal watchlist of unmerged upstream feature branches (os-81 incremental policy merge, supervisor-session relay, l7-path-canonicalization, runtime-policy-revision) recorded in the CHANGELOG for a future milestone. No code changes, no schema changes, no new dependencies. Full pytest -n auto baseline stayed green at 3042 passed, 1 skipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Publish standalone
openshell-gatewayrelease artifacts from the existingopenshell-servercrate without changing the current container/runtime naming oropenshell gateway startbehavior.Related Issue
Linear: https://linear.app/nvidia/issue/OS-85/release-standalone-openshell-gateway-binary-from-openshell-server
Changes
openshell-serverCLI entrypoint and a newopenshell-gatewaybinaryrelease-dev.ymlandrelease-tag.ymlto publish GNU Linux and macOS ARM64openshell-gatewaytarballs plus a dedicated checksum fileTesting
mise run pre-commitpassescargo check -p openshell-servercargo test -p openshell-server cli::tests -- --nocapturecargo test -p openshell-server sqlite_connect_runs_embedded_migrations -- --nocaptureChecklist