Skip to content

feat(cli): show active runtime policy when retrieving sandbox#880

Draft
TaylorMutch wants to merge 1 commit intomainfrom
tmutch/include-runtime-policy-revision-sandbox-get-output
Draft

feat(cli): show active runtime policy when retrieving sandbox#880
TaylorMutch wants to merge 1 commit intomainfrom
tmutch/include-runtime-policy-revision-sandbox-get-output

Conversation

@TaylorMutch
Copy link
Copy Markdown
Collaborator

@TaylorMutch TaylorMutch commented Apr 17, 2026
edited
Loading

Summary

openshell sandbox get now fetches and displays the active runtime policy from GetSandboxConfig instead of the creation-time policy stored in the sandbox spec. This ensures the output reflects what's actually enforced at runtime (including any hot-reloaded updates or gateway-global overrides).

A new --policy-only flag on openshell sandbox get prints only the active policy YAML — useful for piping directly into openshell policy set for iteration workflows.

openshell policy get also now surfaces the policy source (sandbox vs global) and flags when a gateway-global policy is active so the displayed sandbox revision isn't mistaken for the effective runtime policy.

Related Issue

Fixes #837

Changes

  • sandbox_get calls GetSandboxConfig to fetch the active runtime policy instead of reading from sandbox.spec.policy
  • Added --policy-only flag to openshell sandbox get to print only the active policy YAML
  • openshell policy get now shows Policy source: sandbox|global and Global revision: when a global policy is active, with a warning note when the requested sandbox revision is not the effective policy
  • Updated CLI reference docs and architecture/security-policy.md
  • Added E2E test coverage for the policy source label in live_policy_update

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@TaylorMutch TaylorMutch self-assigned this Apr 17, 2026
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot bot commented Apr 17, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 17, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TaylorMutch TaylorMutch

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: include runtime policy revisions in sandbox get output

1 participant

@TaylorMutch