docs(rfc): sandbox-local route for host-tool discovery and invocation#1724
Open
shiju-nv wants to merge 1 commit into
Open
docs(rfc): sandbox-local route for host-tool discovery and invocation#1724shiju-nv wants to merge 1 commit into
shiju-nv wants to merge 1 commit into
Conversation
Add RFC 0005 proposing tools.local as a sandbox-local origin for OpenShell host-tool discovery and invocation in OpenShell. Define the /mcp gateway-to-broker relay, broker profile configuration, authentication boundaries, error mapping, audit behavior, risks, alternatives, and implementation plan. Signed-off-by: Shiju <shiju@nvidia.com>
shiju-nv
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
|
Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text: I have read the DCO document and I hereby sign the DCO. You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot. |
shiju-nv
changed the title
Contributor
Author
|
I have read the DCO document and I hereby sign the DCO. |
johntmyers
reviewed
Jun 3, 2026
| [openshell.gateway.host_tools.brokers.local] | ||
| kind = "json_rpc_http" | ||
| base_url = "http://127.0.0.1:7901" | ||
| rpc_path = "/" |
johntmyers
reviewed
Jun 3, 2026
drew
reviewed
Jun 8, 2026
|
|
||
| V1 uses MCP over JSON-RPC 2.0 at `POST http://tools.local/mcp` as the host-tool wire contract. It has three protocol boundaries: | ||
|
|
||
| - Sandbox to `tools.local`. The sandbox proxy reserves the `tools.local` host. Root JSON-RPC has no v1 methods and returns `method not found` for valid requests. The proxy serves `POST http://tools.local/mcp` as the broker-backed MCP-over-JSON-RPC 2.0 HTTP path, applies local admission checks, attaches sandbox context, and never exposes broker identity or backend routes to the sandbox. |
Collaborator
There was a problem hiding this comment.
Is there anything preventing us from using the existing host.openshell.internal endpoint to reach host services instead of creating a new convention?
How does this work in Kubernetes based cloud deployments?
drew
reviewed
Jun 8, 2026
|
|
||
| The server-side component behind the sandbox proxy. For host tools it authenticates sandbox context, adds trusted `_meta`, calls the broker, validates response framing, and writes gateway audit. | ||
|
|
||
| ### Host-Tool Broker |
Collaborator
There was a problem hiding this comment.
To clarify, this is completely outside of OpenShell? Does this broker use any OpenShell specific conventions?
drew
reviewed
Jun 8, 2026
|
|
||
| Returned tool content is text-only and must fit the v1 transport envelope. Broker-side result validation is part of the Machine-Readable Tool Contract below. | ||
|
|
||
| ## Machine-Readable Tool Contract |
drew
reviewed
Jun 8, 2026
Comment on lines
+257
to
+259
| ### Provider Calls Host Tools Directly | ||
|
|
||
| The provider receives a remote MCP or tool-server URL. That exposes host routes outside the OpenShell relay, weakens audit, bypasses the sandbox proxy, and needs a separate RFC covering provider-facing schema generation, callback authentication, result adaptation, and audit correlation. |
Collaborator
There was a problem hiding this comment.
I don't fully understand all these points. Can you expand on the points and detail how the proposed solution addresses them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds RFC 0005, which proposes
tools.localas a sandbox-local origin for host-tool discovery and invocation in OpenShell. The design lets sandboxed agents callPOST http://tools.local/mcpwhile keeping backend routes, host credentials, and host-local state outside the sandbox.Related Issue
#1723
Changes
tools.local./mcprelay from sandbox proxy to gateway to host-tools broker.POST http://tools.local/for future OpenShell JSON-RPC methods and keeps it closed in v1.Testing
RFC-only documentation change.
mise run pre-commitpasses, not runChecklist