refactor: fixed policy approver to be more responsive#34
Merged
nv-kasikritc merged 1 commit intomainfrom Mar 15, 2026
Merged
Conversation
factory-octavian
pushed a commit
to factory-octavian/OpenShell-Community
that referenced
this pull request
Apr 1, 2026
… and network policy (!42) Closes NVIDIA#34 ## Summary - Add `nav ssh-proxy` name mode (`--cluster`/`--name`) and `nav sandbox ssh-config` for VS Code Remote-SSH integration - Fix VS Code Remote-SSH platform misdetection (was defaulting to Windows/PowerShell) - Fix sandbox network policy for VS Code server connectivity - Fix sandbox user shell configuration ## Problem VS Code Remote-SSH was failing to connect to Navigator sandboxes due to three issues: 1. **Platform misdetection**: VS Code sends `uname -rsv` after a `ready:` marker and expects a response within ~1ms. Forced PTY allocation in `shell_request`, interactive bash (`-i`), and leaked supervisor env vars added enough latency that VS Code timed out and defaulted to "Platform: windows", then tried `powershell`. 2. **Broken network policy**: The `vscode` entry in `dev-sandbox-policy.yaml` was at the YAML top-level instead of nested under `network_policies:` (indentation bug). The VS Code server binary also needed a glob entry. 3. **No login shell**: The sandbox user had `/usr/sbin/nologin` as its shell. ## Changes | File | Change | |------|--------| | `crates/navigator-sandbox/src/ssh.rs` | Remove forced PTY in `shell_request`, remove `-i` flag from pipe exec, add `env_clear()` + explicit `SHELL`/`PATH` to both shell spawn paths | | `deploy/docker/sandbox/Dockerfile.base` | Change sandbox user shell to `/bin/bash`, set home to `/sandbox`, add `.bashrc`/`.profile` | | `dev-sandbox-policy.yaml` | Fix `vscode:` indentation under `network_policies:`, add `/sandbox/.vscode-server/*` binary glob | | `crates/navigator-cli/src/main.rs` | Add `--cluster`/`--name` to `SshProxy`, add `SshConfig`/`Policy`/`Logs` subcommands (rebase merge) | | `crates/navigator-cli/src/ssh.rs` | Update `print_ssh_config` to use `--cluster` flag | | `examples/vscode-remote-sandbox.md` | User-facing example and docs | ## How to use ```bash # Create a persistent sandbox nav sandbox create --keep my-sandbox # Generate SSH config nav sandbox ssh-config my-sandbox >> ~/.ssh/config # Open VS Code code --remote ssh-remote+nav-my-sandbox /sandbox ``` ## Testing - All 307 tests pass - Clippy clean on modified crates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.