docs(rfc): sandbox-local route for host-tool discovery and invocation#1724
Closed
shiju-nv wants to merge 1 commit into
Closed
docs(rfc): sandbox-local route for host-tool discovery and invocation#1724shiju-nv wants to merge 1 commit into
shiju-nv wants to merge 1 commit into
Conversation
shiju-nv
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
|
All contributors have signed the DCO ✍️ ✅ |
shiju-nv
changed the title
Contributor
Author
|
I have read the DCO document and I hereby sign the DCO. |
johntmyers
reviewed
Jun 3, 2026
| [openshell.gateway.host_tools.brokers.local] | ||
| kind = "json_rpc_http" | ||
| base_url = "http://127.0.0.1:7901" | ||
| rpc_path = "/" |
johntmyers
reviewed
Jun 3, 2026
drew
reviewed
Jun 8, 2026
|
|
||
| V1 uses MCP over JSON-RPC 2.0 at `POST http://tools.local/mcp` as the host-tool wire contract. It has three protocol boundaries: | ||
|
|
||
| - Sandbox to `tools.local`. The sandbox proxy reserves the `tools.local` host. Root JSON-RPC has no v1 methods and returns `method not found` for valid requests. The proxy serves `POST http://tools.local/mcp` as the broker-backed MCP-over-JSON-RPC 2.0 HTTP path, applies local admission checks, attaches sandbox context, and never exposes broker identity or backend routes to the sandbox. |
Collaborator
There was a problem hiding this comment.
Is there anything preventing us from using the existing host.openshell.internal endpoint to reach host services instead of creating a new convention?
How does this work in Kubernetes based cloud deployments?
drew
reviewed
Jun 8, 2026
|
|
||
| The server-side component behind the sandbox proxy. For host tools it authenticates sandbox context, adds trusted `_meta`, calls the broker, validates response framing, and writes gateway audit. | ||
|
|
||
| ### Host-Tool Broker |
Collaborator
There was a problem hiding this comment.
To clarify, this is completely outside of OpenShell? Does this broker use any OpenShell specific conventions?
drew
reviewed
Jun 8, 2026
|
|
||
| Returned tool content is text-only and must fit the v1 transport envelope. Broker-side result validation is part of the Machine-Readable Tool Contract below. | ||
|
|
||
| ## Machine-Readable Tool Contract |
drew
reviewed
Jun 8, 2026
Comment on lines
+257
to
+259
| ### Provider Calls Host Tools Directly | ||
|
|
||
| The provider receives a remote MCP or tool-server URL. That exposes host routes outside the OpenShell relay, weakens audit, bypasses the sandbox proxy, and needs a separate RFC covering provider-facing schema generation, callback authentication, result adaptation, and audit correlation. |
Collaborator
There was a problem hiding this comment.
I don't fully understand all these points. Can you expand on the points and detail how the proposed solution addresses them.
Add RFC 0005 as a single clean docs commit on current upstream/main. The RFC defines the tools.local/mcp sandbox-local path, the Sandbox Proxy to broker boundary, JSON-RPC envelope handling, broker assertion JWTs, and the division of responsibility between OpenShell and the host-tool broker. Signed-off-by: Shiju <shiju@nvidia.com>
shiju-nv
force-pushed
the
rfc/0005-host-tools
branch
from
f0ad9f3 to
750aec7
Compare
Collaborator
|
I am going to close this in favor of #1793 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds RFC 0005, which proposes
tools.localas a sandbox-local origin for host-tool discovery and invocation in OpenShell. The design lets sandboxed agents callPOST http://tools.local/mcpwhile keeping backend routes, host credentials, and host-local state outside the sandbox.Related Issue
#1723
Changes
tools.local./mcprelay from sandbox proxy to gateway to host-tools broker.POST http://tools.local/for future OpenShell JSON-RPC methods and keeps it closed in v1.Testing
RFC-only documentation change.
mise run pre-commitpasses, not runChecklist