refactor(openshell-sandbox): Split sandbox into process and network subcrates.

crates/openshell-core/Cargo.toml

@@ -13,19 +13,33 @@ repository.workspace = true
 [dependencies]
 prost = { workspace = true }
 prost-types = { workspace = true }
-tonic = { workspace = true }
+tonic = { workspace = true, features = ["channel", "tls"] }
+tokio = { workspace = true }
 thiserror = { workspace = true }
 miette = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+tracing = { workspace = true }
 url = { workspace = true }
 ipnet = "2"
+base64 = { workspace = true }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+openshell-ocsf = { path = "../openshell-ocsf" }
+uuid = { workspace = true }
+libc = "0.2"
+tempfile = "3"
+nix = { workspace = true }
 
 [features]
 ## Include test-only settings (dummy_bool, dummy_int) in the registry.
 ## Off by default so production builds have an empty registry.
 ## Enabled by e2e tests and during development.
 dev-settings = []
+## Expose proposals::test_helpers (`ProposalsFlagGuard`) to downstream test
+## code in other crates. Enabled by openshell-sandbox and
+## openshell-supervisor-network dev builds.
+test-helpers = []
 
 [build-dependencies]
 tonic-build = { workspace = true }

crates/openshell-sandbox/src/grpc_client.rs → crates/openshell-core/src/grpc_client.rs

@@ -22,15 +22,15 @@ use std::collections::HashMap;
 use std::sync::{Arc, OnceLock, RwLock};
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
-use miette::{IntoDiagnostic, Result, WrapErr};
-use openshell_core::proto::{
+use crate::proto::{
     DenialSummary, GetDraftPolicyRequest, GetInferenceBundleRequest, GetInferenceBundleResponse,
     GetSandboxConfigRequest, GetSandboxProviderEnvironmentRequest, IssueSandboxTokenRequest,
     PolicyChunk, PolicySource, PolicyStatus, RefreshSandboxTokenRequest, ReportPolicyStatusRequest,
     SandboxPolicy as ProtoSandboxPolicy, SubmitPolicyAnalysisRequest, SubmitPolicyAnalysisResponse,
     UpdateConfigRequest, inference_client::InferenceClient, open_shell_client::OpenShellClient,
 };
-use openshell_core::sandbox_env;
+use crate::sandbox_env;
+use miette::{IntoDiagnostic, Result, WrapErr};
 use tonic::Status;
 use tonic::metadata::AsciiMetadataValue;
 use tonic::service::interceptor::InterceptedService;
@@ -674,7 +674,7 @@ pub struct SettingsPollResult {
     pub config_revision: u64,
     pub policy_source: PolicySource,
     /// Effective settings keyed by name.
-    pub settings: HashMap<String, openshell_core::proto::EffectiveSetting>,
+    pub settings: HashMap<String, crate::proto::EffectiveSetting>,
     /// When `policy_source` is `Global`, the version of the global policy revision.
     pub global_policy_version: u32,
     pub provider_env_revision: u64,

crates/openshell-core/src/lib.rs

@@ -15,14 +15,21 @@ pub mod driver_utils;
 pub mod error;
 pub mod forward;
 pub mod gpu;
+pub mod grpc_client;
 pub mod image;
 pub mod inference;
 pub mod metadata;
 pub mod net;
+#[cfg(target_os = "linux")]
+pub mod netns;
 pub mod paths;
+pub mod policy;
 pub mod progress;
+pub mod proposals;
 pub mod proto;
+pub mod provider_credentials;
 pub mod sandbox_env;
+pub mod secrets;
 pub mod settings;
 pub mod time;
 

crates/openshell-sandbox/src/sandbox/linux/netns.rs → crates/openshell-core/src/netns/mod.rs

@@ -7,6 +7,8 @@
 //! the sandbox to the host. This ensures the sandboxed process can only
 //! communicate through the proxy running on the host side of the veth.
 
+mod nft_ruleset;
+
 use miette::{IntoDiagnostic, Result};
 use std::net::IpAddr;
 use std::os::unix::io::RawFd;
@@ -71,7 +73,7 @@ impl NetworkNamespace {
             .unwrap();
 
         openshell_ocsf::ocsf_emit!(
-            openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+            openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                 .severity(openshell_ocsf::SeverityId::Informational)
                 .status(openshell_ocsf::StatusId::Success)
                 .state(openshell_ocsf::StateId::Enabled, "creating")
@@ -165,7 +167,7 @@ impl NetworkNamespace {
         };
 
         openshell_ocsf::ocsf_emit!(
-            openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+            openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                 .severity(openshell_ocsf::SeverityId::Informational)
                 .status(openshell_ocsf::StatusId::Success)
                 .state(openshell_ocsf::StateId::Enabled, "created")
@@ -262,7 +264,7 @@ impl NetworkNamespace {
     pub fn install_bypass_rules(&self, proxy_port: u16) -> Result<()> {
         let Some(nft_path) = find_nft() else {
             openshell_ocsf::ocsf_emit!(
-                openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+                openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                     .severity(openshell_ocsf::SeverityId::Medium)
                     .status(openshell_ocsf::StatusId::Failure)
                     .state(openshell_ocsf::StateId::Disabled, "degraded")
@@ -287,15 +289,12 @@ impl NetworkNamespace {
         // before reject rules in the chain so packets are logged before being
         // rejected. If the kernel lacks nft_log support, fall back to the
         // reject-only ruleset.
-        let ruleset_with_log = super::nft_ruleset::generate_bypass_ruleset(
-            &host_ip_str,
-            proxy_port,
-            Some(&log_prefix),
-        );
+        let ruleset_with_log =
+            nft_ruleset::generate_bypass_ruleset(&host_ip_str, proxy_port, Some(&log_prefix));
 
         if let Err(e) = run_nft_netns(&self.name, &nft_path, &ruleset_with_log) {
             openshell_ocsf::ocsf_emit!(
-                openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+                openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                     .severity(openshell_ocsf::SeverityId::Low)
                     .status(openshell_ocsf::StatusId::Failure)
                     .state(openshell_ocsf::StateId::Other, "degraded")
@@ -307,11 +306,11 @@ impl NetworkNamespace {
             );
 
             let ruleset_no_log =
-                super::nft_ruleset::generate_bypass_ruleset(&host_ip_str, proxy_port, None);
+                nft_ruleset::generate_bypass_ruleset(&host_ip_str, proxy_port, None);
 
             if let Err(e) = run_nft_netns(&self.name, &nft_path, &ruleset_no_log) {
                 openshell_ocsf::ocsf_emit!(
-                    openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+                    openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                         .severity(openshell_ocsf::SeverityId::Medium)
                         .status(openshell_ocsf::StatusId::Failure)
                         .state(openshell_ocsf::StateId::Disabled, "failed")
@@ -326,7 +325,7 @@ impl NetworkNamespace {
         }
 
         openshell_ocsf::ocsf_emit!(
-            openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+            openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                 .severity(openshell_ocsf::SeverityId::Informational)
                 .status(openshell_ocsf::StatusId::Success)
                 .state(openshell_ocsf::StateId::Enabled, "installed")
@@ -369,7 +368,7 @@ impl Drop for NetworkNamespace {
         }
 
         openshell_ocsf::ocsf_emit!(
-            openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+            openshell_ocsf::ConfigStateChangeBuilder::new(openshell_ocsf::ctx::ctx())
                 .severity(openshell_ocsf::SeverityId::Informational)
                 .status(openshell_ocsf::StatusId::Success)
                 .state(openshell_ocsf::StateId::Disabled, "cleaned_up")

crates/openshell-core/src/paths.rs

@@ -1,12 +1,14 @@
 // SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-//! Centralized XDG config directory resolution and permission helpers.
+//! Path utilities: XDG config directory resolution, permission helpers, and
+//! lexical path normalization.
 //!
 //! All `OpenShell` crates should use [`xdg_config_dir`] from this module instead
 //! of reimplementing the XDG lookup. The permission helpers ensure that
 //! sensitive files (private keys, tokens) and the directories containing them
-//! are created with restrictive modes.
+//! are created with restrictive modes. [`normalize_path`] performs purely
+//! lexical normalization (no filesystem access, no symlink resolution).
 
 use miette::{IntoDiagnostic, Result, WrapErr};
 use std::path::{Path, PathBuf};
@@ -126,6 +128,33 @@ pub fn is_file_permissions_too_open(path: &Path) -> bool {
     std::fs::metadata(path).is_ok_and(|m| m.permissions().mode() & 0o077 != 0)
 }
 
+/// Normalize a filesystem path by collapsing redundant separators
+/// and removing trailing slashes, without requiring the path to exist on disk.
+///
+/// This is a lexical normalization only — it does NOT resolve symlinks or
+/// check the filesystem. `..` components are preserved verbatim; callers that
+/// need to reject parent traversal must validate separately.
+pub fn normalize_path(path: &str) -> String {
+    use std::path::Component;
+
+    let p = Path::new(path);
+    let mut normalized = PathBuf::new();
+    for component in p.components() {
+        match component {
+            Component::Prefix(prefix) => normalized.push(prefix.as_os_str()),
+            #[allow(clippy::path_buf_push_overwrite)]
+            Component::RootDir => normalized.push("/"),
+            Component::CurDir => {} // skip "."
+            Component::ParentDir => {
+                // Keep ".." — validation will catch it separately
+                normalized.push("..");
+            }
+            Component::Normal(c) => normalized.push(c),
+        }
+    }
+    normalized.to_string_lossy().to_string()
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -201,4 +230,17 @@ mod tests {
         std::fs::set_permissions(&file, std::fs::Permissions::from_mode(0o600)).unwrap();
         assert!(!is_file_permissions_too_open(&file));
     }
+
+    #[test]
+    fn normalize_path_collapses_separators() {
+        assert_eq!(normalize_path("/usr//lib"), "/usr/lib");
+        assert_eq!(normalize_path("/usr/./lib"), "/usr/lib");
+        assert_eq!(normalize_path("/tmp/"), "/tmp");
+    }
+
+    #[test]
+    fn normalize_path_preserves_parent_dir() {
+        // normalize_path preserves ".." — validation catches it separately
+        assert_eq!(normalize_path("/usr/../etc"), "/usr/../etc");
+    }
 }

crates/openshell-sandbox/src/policy.rs → crates/openshell-core/src/policy.rs

@@ -3,7 +3,8 @@
 
 //! Sandbox policy configuration.
 
-use openshell_core::proto::{
+use crate::paths::normalize_path;
+use crate::proto::{
     FilesystemPolicy as ProtoFilesystemPolicy, LandlockPolicy as ProtoLandlockPolicy,
     ProcessPolicy as ProtoProcessPolicy, SandboxPolicy as ProtoSandboxPolicy,
 };
@@ -125,12 +126,12 @@ impl From<ProtoFilesystemPolicy> for FilesystemPolicy {
             read_only: proto
                 .read_only
                 .into_iter()
-                .map(|p| PathBuf::from(openshell_policy::normalize_path(&p)))
+                .map(|p| PathBuf::from(normalize_path(&p)))
                 .collect(),
             read_write: proto
                 .read_write
                 .into_iter()
-                .map(|p| PathBuf::from(openshell_policy::normalize_path(&p)))
+                .map(|p| PathBuf::from(normalize_path(&p)))
                 .collect(),
             include_workdir: proto.include_workdir,
         }