NVIDIA · krishicks · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -111,6 +111,16 @@ jobs:
     with:
       image-tag: ${{ github.sha }}
 
+  mcp-conformance:
+    needs: [pr_metadata, build-gateway, build-supervisor]
+    if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true'
+    permissions:
+      contents: read
+      packages: read
+    uses: ./.github/workflows/mcp-conformance.yml
+    with:
+      image-tag: ${{ github.sha }}
+
   kubernetes-ha-e2e:
     needs: [pr_metadata, build-gateway, build-supervisor]
     if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_kubernetes_ha_e2e == 'true'
@@ -126,7 +136,7 @@ jobs:
 
   core-e2e-result:
     name: Core E2E result
-    needs: [pr_metadata, build-gateway, build-supervisor, e2e, kubernetes-e2e]
+    needs: [pr_metadata, build-gateway, build-supervisor, e2e, kubernetes-e2e, mcp-conformance]
     if: always() && needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -136,14 +146,16 @@ jobs:
           BUILD_SUPERVISOR_RESULT: ${{ needs.build-supervisor.result }}
           E2E_RESULT: ${{ needs.e2e.result }}
           KUBERNETES_E2E_RESULT: ${{ needs.kubernetes-e2e.result }}
+          MCP_CONFORMANCE_RESULT: ${{ needs.mcp-conformance.result }}
         run: |
           set -euo pipefail
           failed=0
           for item in \
             "build-gateway:$BUILD_GATEWAY_RESULT" \
             "build-supervisor:$BUILD_SUPERVISOR_RESULT" \
             "e2e:$E2E_RESULT" \
-            "kubernetes-e2e:$KUBERNETES_E2E_RESULT"; do
+            "kubernetes-e2e:$KUBERNETES_E2E_RESULT" \
+            "mcp-conformance:$MCP_CONFORMANCE_RESULT"; do
             name="${item%%:*}"
             result="${item#*:}"
             if [ "$result" != "success" ]; then

@@ -0,0 +1,99 @@
+name: MCP Conformance Test
+
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: "Image tag to test (typically the commit SHA)"
+        required: true
+        type: string
+      runner:
+        description: "GitHub Actions runner label"
+        required: false
+        type: string
+        default: "linux-amd64-cpu8"
+      checkout-ref:
+        description: "Git ref to check out for test inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  mcp-conformance:
+    name: MCP Conformance
+    runs-on: ${{ inputs.runner }}
+    timeout-minutes: 40
+    defaults:
+      run:
+        shell: bash
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+      options: --privileged
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+        - /home/runner/_work:/home/runner/_work
+    env:
+      MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      IMAGE_TAG: ${{ inputs.image-tag }}
+      OPENSHELL_REGISTRY: ghcr.io/nvidia/openshell
+      OPENSHELL_REGISTRY_HOST: ghcr.io
+      OPENSHELL_REGISTRY_NAMESPACE: nvidia/openshell
+      OPENSHELL_REGISTRY_USERNAME: ${{ github.actor }}
+      OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      OPENSHELL_SUPERVISOR_IMAGE: ${{ format('ghcr.io/nvidia/openshell/supervisor:{0}', inputs.image-tag) }}
+      OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE: openshell-mcp-conformance-client:${{ github.sha }}
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          ref: ${{ inputs['checkout-ref'] || github.sha }}
+
+      - name: Check out MCP conformance tests
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          repository: modelcontextprotocol/conformance
+          ref: v0.1.16
+          path: .cache/mcp-conformance
+
+      - name: Set up Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: "22"
+          cache: npm
+          cache-dependency-path: .cache/mcp-conformance/package-lock.json
+
+      - name: Build MCP conformance runner
+        working-directory: .cache/mcp-conformance
+        run: |
+          npm ci
+          npm run build
+
+      - name: Log in to GHCR with Docker
+        run: echo "${OPENSHELL_REGISTRY_PASSWORD}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Build OpenShell e2e binaries
+        run: |
+          cargo build -p openshell-server --bin openshell-gateway --features openshell-core/dev-settings
+          cargo build -p openshell-cli --bin openshell --features openshell-core/dev-settings
+
+      - name: Build MCP conformance client image
+        run: docker build --pull -f e2e/mcp-conformance/Dockerfile.client -t "${OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE}" .cache/mcp-conformance
+
+      - name: Run MCP conformance through OpenShell
+        run: |
+          set -euo pipefail
+          for scenario in initialize tools_call; do
+            echo "::group::MCP conformance: ${scenario}"
+            node .cache/mcp-conformance/dist/index.js client \
+              --command "bash e2e/mcp-conformance/client-through-openshell.sh" \
+              --scenario "${scenario}" \
+              --expected-failures e2e/mcp-conformance/expected-failures.yml \
+              --timeout 900000
+            echo "::endgroup::"
+          done
@@ -49,6 +49,14 @@ paths, such as proxy support files or GPU device paths when a GPU is present.
 All ordinary agent egress is routed through the sandbox proxy. The proxy
 identifies the calling binary, checks trust-on-first-use binary identity, rejects
 unsafe internal destinations, and evaluates the active policy.
+For inspected HTTP traffic, the proxy can enforce REST method/path rules,
+WebSocket upgrade and text-message rules, GraphQL operation rules, and
+JSON-RPC method and params rules on sandbox-to-server request bodies. JSON-RPC
+request inspection buffers up to the endpoint `json_rpc.max_body_bytes` limit.
+Literal dotted keys in JSON-RPC params are rejected before policy evaluation so
+they cannot be confused with flattened nested selector paths.
+JSON-RPC responses and server-to-client MCP messages on response or SSE streams
+are relayed but are not currently parsed for policy enforcement.
 
 `https://inference.local` is special. It bypasses OPA network policy and is
 handled by the inference interception path:

@@ -205,6 +205,8 @@ fn group_allow_rules(specs: &[String]) -> Result<BTreeMap<(String, u32), Vec<L7R
                     operation_type: String::new(),
                     operation_name: String::new(),
                     fields: Vec::new(),
+                    rpc_method: String::new(),
+                    params: HashMap::default(),
                 }),
             });
     }
@@ -226,6 +228,8 @@ fn group_deny_rules(specs: &[String]) -> Result<BTreeMap<(String, u32), Vec<L7De
                 operation_type: String::new(),
                 operation_name: String::new(),
                 fields: Vec::new(),
+                rpc_method: String::new(),
+                params: HashMap::default(),
             });
     }
     Ok(grouped)