feat(policy): add MCP-aware JSON-RPC L7 governance

.github/workflows/e2e-test.yml

@@ -44,6 +44,9 @@ jobs:
             cmd: "mise run --no-deps --skip-deps e2e:podman:rootless"
             apt_packages: "openssh-client podman uidmap"
             rootless: true
+          - suite: mcp
+            cmd: "mise run --no-deps --skip-deps e2e:mcp"
+            apt_packages: ""
     container:
       image: ghcr.io/nvidia/openshell/ci:latest
       credentials:
@@ -66,6 +69,23 @@ jobs:
         with:
           ref: ${{ inputs['checkout-ref'] || github.sha }}
 
+      - name: Check out MCP conformance tests
+        if: matrix.suite == 'mcp'
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          repository: modelcontextprotocol/conformance
+          # Pin after v0.1.16 to include the tools_call client scenario fix.
+          ref: b9041ea41b0188581803459dbae71bc7e02fd995
+          path: .cache/mcp-conformance
+
+      - name: Set up Node.js
+        if: matrix.suite == 'mcp'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: "22"
+          cache: npm
+          cache-dependency-path: .cache/mcp-conformance/package-lock.json
+
       - name: Install OS test dependencies
         if: matrix.apt_packages != ''
         env:
@@ -104,6 +124,7 @@ jobs:
       - name: Run tests
         env:
           OPENSHELL_SUPERVISOR_IMAGE: ${{ format('ghcr.io/nvidia/openshell/supervisor:{0}', inputs.image-tag) }}
+          OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE: ${{ format('openshell-mcp-conformance-client:{0}', inputs.image-tag) }}
           E2E_CMD: ${{ matrix.cmd }}
         run: |
           if [ "${{ matrix.rootless }}" = "true" ]; then

Cargo.toml

@@ -8,7 +8,7 @@ members = ["crates/*"]
 [workspace.package]
 version = "0.0.0"
 edition = "2024"
-rust-version = "1.88"
+rust-version = "1.90"
 license = "Apache-2.0"
 repository = "https://github.com/NVIDIA/OpenShell"
 
@@ -73,6 +73,7 @@ serde_json = "1"
 serde_yml = "0.0.12"
 toml = "0.8"
 apollo-parser = "0.8.5"
+tower-mcp-types = "0.12.0"
 
 # HTTP client
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots"] }

architecture/sandbox.md

@@ -51,12 +51,13 @@ identifies the calling binary, checks trust-on-first-use binary identity, reject
 unsafe internal destinations, and evaluates the active policy.
 For inspected HTTP traffic, the proxy can enforce REST method/path rules,
 WebSocket upgrade and text-message rules, GraphQL operation rules, and
-JSON-RPC method and params rules on sandbox-to-server request bodies. JSON-RPC
-request inspection buffers up to the endpoint `json_rpc.max_body_bytes` limit.
-Literal dotted keys in JSON-RPC params are rejected before policy evaluation so
-they cannot be confused with flattened nested selector paths.
-JSON-RPC responses and server-to-client MCP messages on response or SSE streams
-are relayed but are not currently parsed for policy enforcement.
+MCP or generic JSON-RPC method and params rules on sandbox-to-server request
+bodies. MCP and JSON-RPC inspection buffers up to the endpoint
+`mcp.max_body_bytes` or `json_rpc.max_body_bytes` limit. Literal dotted keys in
+JSON-RPC params are rejected before policy evaluation so they cannot be confused
+with flattened nested selector paths. JSON-RPC responses and server-to-client
+MCP messages on response or SSE streams are relayed but are not currently
+parsed for policy enforcement.
 
 `https://inference.local` is special. It bypasses OPA network policy and is
 handled by the inference interception path: