Skip to content

feat(policy): add incremental sandbox policy updates#860

Draft
johntmyers wants to merge 2 commits intomainfrom
feat/os-81-incremental-policy-merge
Draft

feat(policy): add incremental sandbox policy updates#860
johntmyers wants to merge 2 commits intomainfrom
feat/os-81-incremental-policy-merge

Conversation

@johntmyers
Copy link
Copy Markdown
Collaborator

@johntmyers johntmyers commented Apr 16, 2026

Summary

Add a first-pass incremental sandbox policy update workflow for OS-81 / #825.
The CLI now supports batched openshell policy update operations, the server applies them atomically as one merge batch with optimistic retry on version conflicts, and the policy/docs/agent surfaces are updated to teach the new flow.

Related Issue

Closes #825
Linear: OS-81

Changes

  • added a shared merge engine in openshell-policy for additive/removal operations on network_policies
  • added merge_operations to UpdateConfigRequest and implemented the server-side incremental update path with optimistic concurrency retry
  • added openshell policy update with strict parsing/validation for --add-endpoint, --add-allow, --add-deny, --remove-endpoint, and related flags
  • kept --add-allow and --add-deny REST-specific in this first pass
  • updated user docs and the openshell-cli skill/reference to prefer incremental updates for additive network changes
  • added merge-engine tests plus a server test that verifies concurrent merge batches preserve both updates

Testing

Ran targeted verification:

  • RUSTC_WRAPPER= cargo check -p openshell-cli
  • RUSTC_WRAPPER= cargo check -p openshell-server
  • RUSTC_WRAPPER= cargo test -p openshell-policy
  • RUSTC_WRAPPER= cargo test -p openshell-server concurrent_merge_batches_preserve_both_updates
  • BINDGEN_EXTRA_CLANG_ARGS='-I/opt/homebrew/include' LIBRARY_PATH=/opt/homebrew/lib RUSTC_WRAPPER= cargo test -p openshell-cli --no-run
  • mise run pre-commit passes

mise run pre-commit is currently blocked locally by unrelated untracked files under architecture/plans/ that fail SPDX header checks. Without LIBRARY_PATH=/opt/homebrew/lib, the workspace Rust test step also hits the local z3 linker path issue on this machine.

  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@johntmyers
feat(policy): add incremental sandbox policy updates
0e54430 
Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>
@johntmyers johntmyers self-assigned this Apr 16, 2026
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot bot commented Apr 16, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 16, 2026

🌿 Preview your docs: https://nvidia-preview-pr-860.docs.buildwithfern.com/openshell

@johntmyers
docs(policies): expand incremental update guidance
4109685 
Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@johntmyers johntmyers

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: incremental policy updates via openshell policy update

1 participant

@johntmyers