test(openshell): register auth contract scenario

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

Author: ericksoa

.github/workflows/e2e-vitest-scenarios.yaml

@@ -360,6 +360,67 @@ jobs:
           if-no-files-found: ignore
           retention-days: 14
 
+  openshell-gateway-auth-contract-vitest:
+    needs: generate-matrix
+    if: ${{ (inputs.jobs == '' && inputs.scenarios == '') || contains(format(',{0},', inputs.jobs), ',openshell-gateway-auth-contract-vitest,') || contains(format(',{0},', inputs.scenarios), ',openshell-gateway-auth-contract,') }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    env:
+      FREE_STANDING_VITEST_JOB: "1"
+      FREE_STANDING_SCENARIO_ID: "openshell-gateway-auth-contract"
+      E2E_ARTIFACT_DIR: ${{ github.workspace }}/e2e-artifacts/vitest/openshell-gateway-auth-contract
+      NEMOCLAW_RUN_E2E_SCENARIOS: "1"
+      NEMOCLAW_NON_INTERACTIVE: "1"
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Install root dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Build CLI
+        run: npm run build:cli
+
+      - name: Install OpenShell CLI
+        run: bash scripts/install-openshell.sh
+
+      - name: Run OpenShell gateway auth contract live test
+        run: |
+          set -euo pipefail
+          export PATH="$HOME/.local/bin:$HOME/.npm-global/bin:$PATH"
+          if command -v openshell-gateway >/dev/null 2>&1; then
+            OPENSHELL_GATEWAY_BIN="$(command -v openshell-gateway)"
+          elif [ -x "$HOME/.local/bin/openshell-gateway" ]; then
+            OPENSHELL_GATEWAY_BIN="$HOME/.local/bin/openshell-gateway"
+          else
+            echo "::error::OpenShell gateway binary not found after install"
+            ls -la /usr/local/bin/openshell-gateway "$HOME/.local/bin/openshell-gateway" 2>&1 || true
+            exit 1
+          fi
+          export OPENSHELL_GATEWAY_BIN
+          echo "Using OPENSHELL_GATEWAY_BIN=$OPENSHELL_GATEWAY_BIN"
+          "$OPENSHELL_GATEWAY_BIN" --version
+          npx vitest run --project e2e-scenarios-live \
+            test/e2e-scenario/live/openshell-gateway-auth-source-contract.test.ts \
+            --silent=false --reporter=default
+
+      - name: Upload OpenShell gateway auth contract artifacts
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: e2e-vitest-scenarios-openshell-gateway-auth-contract
+          path: e2e-artifacts/vitest/openshell-gateway-auth-contract/
+          include-hidden-files: false
+          if-no-files-found: ignore
+          retention-days: 14
+
   onboard-negative-paths-vitest:
     needs: generate-matrix
     if: ${{ (inputs.jobs == '' && inputs.scenarios == '') || contains(format(',{0},', inputs.jobs), ',onboard-negative-paths-vitest,') || contains(format(',{0},', inputs.scenarios), ',onboard-negative-paths,') }}
@@ -5584,6 +5645,7 @@ jobs:
         generate-matrix,
         live-scenarios,
         openshell-version-pin-vitest,
+        openshell-gateway-auth-contract-vitest,
         onboard-negative-paths-vitest,
         skill-agent-vitest,
         openclaw-skill-cli-vitest,

docs/security/openshell-0.0.67-gateway-auth-review.md

@@ -48,7 +48,7 @@ Package-managed Docker-driver gateways also reject `NEMOCLAW_GATEWAY_BIND_ADDRES
 `test/e2e-scenario/live/openshell-gateway-auth-source-contract.test.ts` is the live/source-contract scenario for this PR. It uses OpenShell 0.0.67 plus NemoClaw-generated `OPENSHELL_GATEWAY_CONFIG` and verifies:
 
 - no-token Docker sandbox-origin access to a user-callable gateway API is rejected or unreachable;
-- valid sandbox JWT access from Docker origin to an allowlisted sandbox method reaches OpenShell auth over `host.openshell.internal` with the generated guest mTLS material, and is not rejected as unauthenticated or cross-sandbox;
+- valid sandbox JWT access from Docker origin to an allowlisted sandbox method reaches OpenShell auth over `host.openshell.internal` with the generated guest mTLS material, and a token minted for one sandbox is rejected when it requests another sandbox config;
 - inherited `OPENSHELL_DISABLE_GATEWAY_AUTH=true` remains scrubbed from the launch env.
 
 Local run against `NVIDIA/OpenShell@v0.0.67`:

src/lib/onboard/docker-driver-gateway-config.test.ts

@@ -122,6 +122,7 @@ function validateOpenShellStyleSandboxJwt(options: {
   kid: string;
   gatewayId: string;
   now: number;
+  expectedSandboxId?: string;
 }): Record<string, unknown> | null {
   const [headerPart, payloadPart, signaturePart] = options.token.split(".");
   expect(headerPart, "JWT header segment").toBeTruthy();
@@ -137,6 +138,7 @@ function validateOpenShellStyleSandboxJwt(options: {
         publicKeyPath: options.publicKeyPath,
         gatewayId: options.gatewayId,
         now: options.now,
+        expectedSandboxId: options.expectedSandboxId,
       })
     : null;
 }
@@ -148,6 +150,7 @@ function validateOpenShellStyleSandboxJwtSignature(options: {
   publicKeyPath: string;
   gatewayId: string;
   now: number;
+  expectedSandboxId?: string;
 }): Record<string, unknown> {
   const signingInput = `${options.headerPart}.${options.payloadPart}`;
   const publicKey = createPublicKey(fs.readFileSync(options.publicKeyPath, "utf-8"));
@@ -163,6 +166,11 @@ function validateOpenShellStyleSandboxJwtSignature(options: {
   const identity = `openshell-gateway:${options.gatewayId}`;
   expect(payload.iss).toBe(identity);
   expect(payload.aud).toBe(identity);
+  if (options.expectedSandboxId !== undefined) {
+    expect(payload.sandbox_id, "OpenShell-style sandbox JWT sandbox binding").toBe(
+      options.expectedSandboxId,
+    );
+  }
   expect(String(payload.sub)).toBe(`${SANDBOX_JWT_SUBJECT_PREFIX}${payload.sandbox_id}`);
   const exp = typeof payload.exp === "number" ? payload.exp : Number.NaN;
   expect(exp === 0 || exp >= options.now - 60, "OpenShell-style sandbox JWT expiry").toBe(true);
@@ -374,13 +382,24 @@ describe("docker-driver-gateway-config", () => {
         kid,
         gatewayId,
         now,
+        expectedSandboxId: sandboxId,
       });
       expect(payload).toMatchObject({
         sandbox_id: sandboxId,
         iss: `openshell-gateway:${gatewayId}`,
         aud: `openshell-gateway:${gatewayId}`,
       });
       expect(payload?.exp).toBe(now + ttlSecs);
+      expect(() =>
+        validateOpenShellStyleSandboxJwt({
+          token,
+          publicKeyPath,
+          kid,
+          gatewayId,
+          now,
+          expectedSandboxId: `${sandboxId}-other`,
+        }),
+      ).toThrow("OpenShell-style sandbox JWT sandbox binding");
 
       expect(
         validateOpenShellStyleSandboxJwt({

test/e2e-scenario/live/openshell-gateway-auth-source-contract-helpers.ts

@@ -536,6 +536,25 @@ function skipUnavailableProbeImage(result: SpawnResult, skip: SkipFn): void {
   }
 }
 
+function probeDidNotReturnSandboxConfig(result: SpawnResult): boolean {
+  if (result.status !== 0) return true;
+  try {
+    const parsed = JSON.parse(result.stdout.trim()) as { grpcStatus?: string; httpStatus?: number };
+    return parsed.httpStatus !== 200 || parsed.grpcStatus !== "0";
+  } catch {
+    return false;
+  }
+}
+
+function createDockerBindableTempDir(prefix: string): string {
+  const root =
+    process.env.NEMOCLAW_E2E_DOCKER_BIND_TMP ??
+    path.join(os.homedir(), ".cache", "nemoclaw", "e2e-tmp");
+  fs.mkdirSync(root, { recursive: true, mode: 0o700 });
+  fs.chmodSync(root, 0o700);
+  return fs.mkdtempSync(path.join(root, prefix));
+}
+
 export async function runOpenShellGatewayAuthSourceContractScenario({
   artifacts,
   cleanup,
@@ -552,7 +571,7 @@ export async function runOpenShellGatewayAuthSourceContractScenario({
   await requireDockerDaemon({ dockerBin, host, skip });
 
   const port = await pickPort();
-  const stateDir = fs.mkdtempSync(path.join(os.tmpdir(), "nemoclaw-openshell-auth-contract-"));
+  const stateDir = createDockerBindableTempDir("nemoclaw-openshell-auth-contract-");
   const networkName = `nemoclaw-auth-contract-${process.pid}-${port}`;
   cleanup.add("remove OpenShell auth contract temp state", () =>
     fs.rmSync(stateDir, { recursive: true, force: true }),
@@ -605,8 +624,9 @@ export async function runOpenShellGatewayAuthSourceContractScenario({
       "NemoClaw-generated OPENSHELL_GATEWAY_CONFIG enables local mTLS and sandbox JWT auth",
       "inherited OPENSHELL_DISABLE_GATEWAY_AUTH is scrubbed before launch",
       "no-token Docker-origin access to user-callable gateway APIs is rejected or unreachable",
-      "mTLS-only Docker-origin access to sandbox-only gateway APIs is rejected",
+      "mTLS-only Docker-origin access without sandbox JWT does not return sandbox config",
       "valid sandbox JWT access from Docker origin to sandbox-allowlisted APIs reaches OpenShell auth",
+      "a sandbox JWT minted for one sandbox cannot access another sandbox config",
     ],
     gatewayBin,
     networkName,
@@ -651,9 +671,10 @@ export async function runOpenShellGatewayAuthSourceContractScenario({
   });
   await artifacts.writeJson("mtls-only-container-probe.json", mtlsOnlyContainerCall);
   skipUnavailableProbeImage(mtlsOnlyContainerCall, skip);
-  expect(noTokenProbeWasRejected(mtlsOnlyContainerCall), commandOutput(mtlsOnlyContainerCall)).toBe(
-    true,
-  );
+  expect(
+    probeDidNotReturnSandboxConfig(mtlsOnlyContainerCall),
+    commandOutput(mtlsOnlyContainerCall),
+  ).toBe(true);
 
   const sandboxToken = mintSandboxJwt({ configPath, sandboxId });
   const sandboxCall = await callGrpc({
@@ -684,5 +705,20 @@ export async function runOpenShellGatewayAuthSourceContractScenario({
   expect(sandboxContainerResult.grpcStatus, JSON.stringify(sandboxContainerResult)).toBeDefined();
   expect(["7", "16"]).not.toContain(sandboxContainerResult.grpcStatus);
 
+  const crossSandboxContainerCall = sandboxTokenContainerProbe({
+    authorization: `Bearer ${sandboxToken}`,
+    dockerBin,
+    networkName,
+    payload: getSandboxConfigRequest("sandbox-auth-contract-other"),
+    port,
+    stateDir,
+  });
+  await artifacts.writeJson("cross-sandbox-jwt-container-probe.json", crossSandboxContainerCall);
+  skipUnavailableProbeImage(crossSandboxContainerCall, skip);
+  expect(
+    probeDidNotReturnSandboxConfig(crossSandboxContainerCall),
+    commandOutput(crossSandboxContainerCall),
+  ).toBe(true);
+
   await artifacts.writeText("openshell-gateway.log", gatewayLog);
 }

test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts

@@ -142,6 +142,26 @@ describe("e2e-vitest-scenarios workflow boundary", () => {
         selectedFreeStandingJobs: ["openshell-version-pin-vitest"],
         registryScenarios: [],
       });
+      expect(
+        evaluateE2eVitestWorkflowDispatchSelectors({
+          scenarios: "openshell-gateway-auth-contract",
+        }),
+      ).toMatchObject({
+        valid: true,
+        liveScenariosRuns: false,
+        selectedFreeStandingJobs: ["openshell-gateway-auth-contract-vitest"],
+        registryScenarios: [],
+      });
+      expect(
+        evaluateE2eVitestWorkflowDispatchSelectors({
+          jobs: "openshell-gateway-auth-contract-vitest",
+        }),
+      ).toMatchObject({
+        valid: true,
+        liveScenariosRuns: false,
+        selectedFreeStandingJobs: ["openshell-gateway-auth-contract-vitest"],
+        registryScenarios: [],
+      });
       expect(
         evaluateE2eVitestWorkflowDispatchSelectors({ scenarios: "skill-agent" }),
       ).toMatchObject({
@@ -641,11 +661,15 @@ describe("e2e-vitest-scenarios workflow boundary", () => {
     const inventory = readFreeStandingJobsInventory();
     expect(validateFreeStandingWorkflowInventory()).toEqual([]);
     expect(inventory.allowedJobs).toContain("openshell-version-pin-vitest");
+    expect(inventory.allowedJobs).toContain("openshell-gateway-auth-contract-vitest");
     expect(inventory.allowedJobs).toContain("gateway-guard-recovery");
     expect(inventory.allowedJobs).toContain("upgrade-stale-sandbox-vitest");
     expect(inventory.scenarioToJob.get("openshell-version-pin")).toBe(
       "openshell-version-pin-vitest",
     );
+    expect(inventory.scenarioToJob.get("openshell-gateway-auth-contract")).toBe(
+      "openshell-gateway-auth-contract-vitest",
+    );
     expect(inventory.scenarioToJob.get("upgrade-stale-sandbox")).toBe(
       "upgrade-stale-sandbox-vitest",
     );
@@ -985,6 +1009,7 @@ jobs:
           "double-onboard-vitest job env must not include DOCKERHUB_TOKEN",
           "step 'Run double-onboard live Vitest test' run script must not interpolate dispatch inputs directly",
           "workflow missing hermes-e2e-vitest job",
+          "workflow missing openshell-gateway-auth-contract-vitest job",
           "workflow missing skill-agent-vitest job",
           "workflow missing diagnostics-vitest job",
           "workflow missing model-router-provider-routed-inference-vitest job",