feat(discovery+openshell): DNS-AID agent discovery with OpenShell policy enforcement

[IngmarVG-IB]

Summary

• Adds DNS-AID agent discovery via SVCB records (RFC 9460) with private-use SvcParamKeys per draft-mozleywilliams-dnsop-dnsaid-01
• Adds OpenShell caller-side policy enforcement (Layer 1) consuming dns-aid-core's PolicyDocument schema
• Integrates both into the /v1/agents endpoint with feature gating

Story: "OpenShell secures the agent boundary; DNS-AID resolves what's inside it."

Motivation / Context

AICR agents in Kubernetes need a standard discovery layer to find peers and a security boundary to control which connections are permitted. DNS-AID provides discovery via DNS SVCB lookups; OpenShell evaluates target agents' published policy documents before allowing the calling agent to connect.

Type of Change

• New feature (non-breaking change that adds functionality)

Component(s) Affected

• API server (/v1/agents endpoint)
• Core libraries (pkg/discovery, pkg/openshell, pkg/errors, pkg/defaults)

Implementation Notes

DNS-AID Discovery (pkg/discovery/)

• Discoverer: DNS SVCB queries for _{name}._{protocol}._agents.{domain}
• Publisher: K8s ConfigMap-based agent registration with create-or-update semantics
• TXT-based index at _agents.{domain} for listing all agents
• Server lifecycle hooks (OnStart/OnShutdown) for auto-publish/deregister
• Feature-gated via AICR_DISCOVERY_ENABLED=true

OpenShell Policy Enforcement (pkg/openshell/)

• All 16 native policy rules matching dns-aid-core's schema
• Three enforcement modes: strict (deny on violation), permissive (log + allow, default), disabled
• Fail-open on policy fetch errors (matches dns-aid-core behavior)
• SSRF-protected fetcher: HTTPS-only, rejects private/loopback IPs
• TTL-based cache (5m default) with bounded eviction (max 1024 entries) and singleflight coalescing
• Enforcement layer filtering — Layer 1 only evaluates applicable rules
• Realm isolation detection with cross-realm access logging
• CEL custom rules deferred to future phase (logged as unsupported)
• Controlled via OPENSHELL_MODE env var with startup validation

Integration

• /v1/agents evaluates OpenShell policy for each discovered agent with a policy URI
• Guard accepts nil — zero behavioral change when discovery is disabled
• New error codes: POLICY_DENIED, POLICY_FETCH
• New defaults: PolicyFetchTimeout (3s), PolicyCacheTTL (5m), PolicyMaxBytes (64KB)

Key Design Decisions

• Fail-open: If a policy document can't be fetched, the connection is allowed. This matches dns-aid-core and is correct for a discovery system where policy is advisory at Layer 1.
• No Python dependency: OpenShell is a pure Go reimplementation consuming the same JSON schema as dns-aid-core's Python SDK.
• Numeric TLS version comparison: Parses major.minor as integers (not lexicographic) to correctly handle versions like 1.12.

Testing

make test  # all tests pass with -race

• pkg/openshell: 84.2% coverage (30 tests)
  • Evaluator: 15 table-driven tests covering all 16 rules, layer filtering, multiple violations
  • Fetcher: SSRF validation, caching, content-type/size rejection, non-200 handling
  • Guard: all 3 modes, fail-open, compliant caller, mode validation
  • Availability: midnight wrap, timezone handling, malformed input fail-open
  • TLS version: numeric comparison including double-digit minor versions
• pkg/discovery: Mock DNS server tests for SVCB parsing, index listing, publisher
• pkg/api: Handler tests with nil guard, domain validation, empty index

Risk Assessment

Medium — New packages with no existing consumers beyond the /v1/agents endpoint. Feature-gated behind AICR_DISCOVERY_ENABLED and OPENSHELL_MODE env vars, so zero impact on existing functionality when disabled. Default mode is permissive (log-only), providing a safe rollout path.

Checklist

• Tests pass locally with -race
• Linter passes (go vet clean, gofmt clean)
• No tests skipped or disabled
• New tests added for new functionality
• Changes follow existing patterns (functional options, pkg/errors, slog, pkg/defaults)
• Commits are cryptographically signed (git commit -S)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Welcome to AICR, @IngmarVG-IB! Thanks for your first pull request.

Before review, please ensure:

• All commits are signed off per the DCO
• CI checks pass (tests, lint, security scan)
• The PR description explains the why behind your changes

A maintainer will review this soon.

[mchmarny]

Well-structured PR — clean separation between discovery, policy, and API layers. The code follows project conventions (functional options, pkg/errors, pkg/defaults, slog, table-driven tests, create-or-update K8s semantics). Feature gating via env vars is a good rollout strategy.

Key issues to address:

1. SSRF bypass via hostname (fetcher.go) — The private IP check only catches raw IP literals in URLs. A hostname resolving to 127.0.0.1 or a link-local address passes validation. Since policy URIs come from DNS records (untrusted input), this needs a DialContext-level check or at minimum a documented limitation.

2. Silent data loss on context cancellation (resolver.go) — DiscoverAll swallows all errors including context cancellation, returning an empty list with nil error. Callers can't distinguish "no agents" from "timed out mid-discovery."

3. Confusing dual-return on fail-open (guard.go) — Check returns (allowed=true, err!=nil) on fetch failure. This contract is easy to misuse.

4. bapVersions v-prefix handling (types.go) — A v-prefixed version like v2.1.0 produces mcp/v2 instead of mcp/2.

Minor/cleanup:

• Dead code: g.Wait() error check in DiscoverAll can never trigger
• Unnecessary loop variable capture (Go 1.22+ scoping)
• Duplicated startMockDNS test helper across packages
• PORT env var parsed in two places
• .claude/agents/k8s-discovery.md may be unintentional

Overall the architecture is solid. The SSRF issue is the most important one to fix before merge.

[mchmarny]

The loop variable capture (entry := entry) is unnecessary in Go 1.22+ (this project uses Go 1.26). The loop variable is already per-iteration scoped.

[mchmarny]

g.Wait() never returns a non-nil error here because every g.Go callback returns nil (individual failures are logged and skipped at line 113). This entire if err block is dead code. Either remove it or return errors from the goroutines for genuinely fatal failures (e.g., context cancellation).

[mchmarny]

Context cancellation is silently swallowed inside the goroutines (line 107 returns nil on all errors). If gctx is canceled (e.g., parent timeout), every in-flight DNS query will fail and be logged as a warning, but DiscoverAll will return an empty list with no error. Consider checking ctx.Err() after g.Wait() and propagating cancellation so callers know the result is incomplete due to timeout rather than an empty domain.

[mchmarny]

NewGuard panics on invalid mode, but setupDiscovery in pkg/api/server.go already validates the mode and returns an error. The panic is redundant for the current call site — and panics in library code are generally undesirable. Consider returning an error from a constructor, or just trusting the caller validation and removing the panic. If you keep it, document the panic in the function's doc comment.

[mchmarny]

Check returns both an allowed result and a non-nil error on fetch failure. The caller in handleAgents (agents.go:103) checks err != nil to log, then checks result != nil separately. This dual-return contract is easy to misuse — a future caller might short-circuit on err != nil and miss that the result is still allowed: true (fail-open). Consider returning (allowed, nil) on fail-open with the fetch warning logged internally, or documenting this contract more prominently.

[mchmarny]

The index is rebuilt by listing all agent ConfigMaps on every publish/deregister. With many agents this becomes O(N) on every registration. Fine for the current scale, but if you expect >100 agents per namespace, consider an append/remove strategy with a periodic full reconciliation instead.

[mchmarny]

bapVersions() extracts the major version from r.Version using string splitting. If Version is a semver like v2.1.0 (with v prefix), this returns v2 rather than 2, producing mcp/v2 instead of mcp/2. Consider stripping the v prefix if present.

[mchmarny]

Good: reading maxBytes+1 then checking length is the correct pattern to detect oversized responses without allocating unbounded memory. Clean.

[mchmarny]

The startMockDNS helper is duplicated from pkg/discovery/testhelper_test.go (the comment says so). Consider extracting it to an exported testutil or internal/testdns package to avoid drift between the two copies.

[mchmarny]

Is this file intended to be checked in? It looks like a Claude Code agent instruction file rather than project source. If it was added unintentionally, consider removing it from the PR.