feat(server): add an inference router (!13)

Closes NVIDIA#3

Author: pimlock

Cargo.lock

@@ -58,6 +58,10 @@ nix = { version = "0.29", features = ["signal", "process", "user", "fs", "term"]
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_yaml = "0.9"
+toml = "0.8"
+
+# HTTP client
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 
 # Utilities
 futures = "0.3"

Cargo.toml

@@ -0,0 +1,144 @@
+# Inference Router Plan
+
+Status: In Progress
+Date: 2026-02-09
+
+## Goals
+
+- Use entity-managed inference configuration.
+- Use `routing_hint` as the user-facing signal.
+- Start with a simple and strict v1 model.
+- Use fail-closed sandbox authorization.
+
+## Design principles
+
+- `routing_hint` is advisory intent from userland, not an internal route ID.
+- Use a single entity in v1 (`InferenceRoute`) to keep control plane simple.
+- v1 is intentionally small: 1:1 route-to-model mapping.
+- Add richer route modes only after route-only CRUD + tests are solid.
+
+## Naming
+
+- `Inference`: top-level namespace/service name.
+- `routing_hint`: request field used by callers.
+- `InferenceRoute`: maps hint -> routing behavior.
+- `InferencePolicy`: sandbox authorization settings.
+
+## Entity model
+
+### InferenceRoute
+
+Represents how a `routing_hint` resolves.
+
+Fields:
+- `id`
+- `spec`
+  - `routing_hint`
+  - `base_url`
+  - `protocol` (`openai_chat_completions` initially)
+  - `api_key` (plaintext for now)
+  - `model_id`
+  - `enabled`
+
+Persistence:
+- Store as protobuf payloads in the existing `objects` table.
+- Route auth is plaintext in v1; future update will replace `api_key` with secret references.
+
+## Request semantics
+
+`CompletionRequest` remains centered on `routing_hint`.
+
+- `routing_hint` is optional/advisory; server resolves an effective route.
+- `model_id` is resolved from route `spec.model_id` in v1.
+
+v1 behavior:
+- Route contains full upstream target + model config.
+- Userland sends `routing_hint` + messages only.
+
+v2 behavior:
+- Add optional passthrough model mode for downstream-router scenarios.
+
+## Sandbox policy model
+
+v1 control:
+- `allowed_routing_hints`
+
+Planned extension:
+- optional `allowed_model_ids`
+- optional provider/capability dimensions if needed later
+
+Enforcement order:
+1. Authenticate request identity.
+2. Resolve route from `routing_hint`.
+3. Apply sandbox policy checks.
+4. Call upstream.
+
+## API plan (entity management)
+
+Routes:
+- `CreateInferenceRoute`
+- `UpdateInferenceRoute`
+- `DeleteInferenceRoute`
+- `ListInferenceRoutes`
+
+CLI:
+- Use `nav inference create|update|delete|list` for route CRUD and inspection.
+
+## Router behavior
+
+- Resolve by `routing_hint`.
+- Load active route from entity store.
+- Support dynamic refresh without restart (watch or polling).
+- Perform protocol mapping to upstream API shape.
+
+## Responsibility split
+
+- Server responsibilities:
+  - authenticate sandbox request
+  - enforce `InferencePolicy` (`allowed_routing_hints`)
+  - load enabled, policy-allowed route candidates from store
+- Router responsibilities:
+  - select route from candidate set using request context (`routing_hint` today)
+  - execute upstream inference call
+  - remain the single place for future routing logic (fallbacks, scoring, policy-aware strategy)
+
+## AuthZ and governance
+
+Required decisions:
+- RBAC for inference entity CRUD.
+- Audit trail for route mutations.
+
+## Implementation phases
+
+### Phase 1
+- Define entities and protobufs.
+- Implement CRUD APIs for routes.
+- Implement router resolution from entities.
+- Use fixed route-to-model mapping only.
+- Enforce sandbox `allowed_routing_hints`.
+
+### Phase 2
+- Add optional passthrough-model route mode.
+- Add optional per-sandbox `allowed_model_ids`.
+- Add richer provider/capability policy dimensions if needed.
+
+## Implementation status
+
+- Done: `InferenceRoute` entity with `spec` shape (`id + spec`).
+- Done: route-only gRPC CRUD (`Create/Update/Delete/ListInferenceRoute`).
+- Done: completion path resolves route from store by `routing_hint`.
+- Done: CLI route CRUD commands (`nav inference create|update|delete|list`).
+- Done: sandbox policy enforcement remains `allowed_routing_hints`.
+- Pending: expand integration tests for CRUD + completion + policy edges.
+
+## Validation and testing
+
+- Unit: entity validation, route resolution, policy evaluation.
+- Integration: CRUD, router refresh, completion path.
+- Security: API key redaction in logs/outputs.
+
+## Open decisions
+
+- Missing/unknown `routing_hint`: strict error or default route.
+- Whether `routing_hint` must be globally unique or namespaced.
+- Principal identity source and RBAC model for non-sandbox clients.

architecture/plans/inference/plan.md

@@ -0,0 +1,178 @@
+# Sandbox Policy Refactor: Single YAML + Typed Proto + Baked Rules
+
+**Status:** Implemented
+**Date:** 2026-02-11
+
+## Goal
+
+Consolidate sandbox policy into a single YAML file parsed by the CLI, transmitted as a fully-typed proto, and consumed by the sandbox with baked-in OPA rules. Eliminate the separate rego data file as a user-facing artifact.
+
+## Design Summary
+
+### Single YAML policy file
+
+The user maintains one file (`dev-sandbox-policy.yaml`) containing everything:
+
+```yaml
+version: 1
+inference:
+  allowed_routing_hints:
+    - local
+filesystem:
+  include_workdir: true
+  read_only: ["/usr", "/lib"]
+  read_write: ["/sandbox", "/tmp"]
+landlock:
+  compatibility: best_effort
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+network_policies:
+  claude_code:
+    endpoints:
+      - { host: api.anthropic.com, port: 443 }
+      - { host: statsig.anthropic.com, port: 443 }
+      - { host: sentry.io, port: 443 }
+      - { host: raw.githubusercontent.com, port: 443 }
+      - { host: platform.claude.com, port: 443 }
+    binaries:
+      - { path: /usr/local/bin/claude }
+  gitlab:
+    endpoints:
+      - { host: gitlab.com, port: 443 }
+      - { host: gitlab.mycorp.com, port: 443 }
+    binaries:
+      - { path: /usr/bin/glab }
+```
+
+This file is **baked into the CLI** as the default (via `include_str!`). Users can override with `--sandbox-policy <path>` or `NAVIGATOR_SANDBOX_POLICY` env var.
+
+### Proto (`sandbox.proto`)
+
+Fully typed, reusing tags 2-5 (no backward-compat constraint):
+
+```protobuf
+message SandboxPolicy {
+  uint32 version = 1;
+  FilesystemPolicy filesystem = 2;
+  LandlockPolicy landlock = 3;
+  ProcessPolicy process = 4;
+  map<string, NetworkPolicyRule> network_policies = 5;
+  InferencePolicy inference = 6;
+}
+```
+
+New messages for network policies: `NetworkPolicyRule`, `NetworkEndpoint`, `NetworkBinary`.
+`LandlockPolicy.compatibility` changes from enum to string.
+Old `NetworkPolicy`/`NetworkMode`/`ProxyPolicy` removed from proto (sandbox-internal concern).
+
+### Data flow
+
+```
+YAML ──[CLI]──> Proto (typed) ──[server stores]──> Proto ──[sandbox fetches via gRPC]──> OPA engine
+```
+
+1. **CLI**: Parses YAML, populates typed `SandboxPolicy` proto, sends to server at sandbox creation.
+2. **Server**: Stores proto as-is. Reads `inference` field directly for routing authorization. Returns full proto on `GetSandboxPolicy`.
+3. **Sandbox**: Fetches proto via gRPC. Converts typed proto fields to JSON, wraps under `{"sandbox": {...}}` key, feeds to `engine.add_data_json()`. Uses baked-in rego rules (via `include_str!`). Rego rules are unchanged — they still reference `data.sandbox.*`.
+
+### Baked-in rego rules
+
+The rego rules file (`dev-sandbox-policy.rego`) is baked into the **sandbox binary** via `include_str!`. The OPA engine is constructed from baked rules + JSON data derived from the proto. The `--rego-policy`/`--rego-data` CLI args on the sandbox binary are kept as dev-only overrides.
+
+### TODO (future)
+
+- Drop rego passthrough rules for filesystem/landlock/process — deserialize directly from proto with serde instead of querying OPA for static config.
+- Remove the `--rego-policy`/`--rego-data` sandbox args once the gRPC path is fully proven.
+- Delete `dev-sandbox-policy-data.rego` once all tests are migrated to use `from_proto` or inline rego data.
+
+### Questions for review
+
+1. **`dev-sandbox-policy-data.rego` kept for now** — it's still used by the existing `from_strings` OPA tests and the `--rego-policy`/`--rego-data` dev override path. Should we migrate the `from_strings` tests to `from_proto` and remove the file?
+2. **`NetworkMode`/`ProxyPolicy` still internal to sandbox** — the sandbox derives `NetworkMode::Proxy` when `network_policies` is non-empty in the proto. The proxy's bind address is still hardcoded/auto-detected. Is this the right default, or should there be an explicit way to set proxy config?
+3. **`name` field in `NetworkPolicyRule`** — the proto has both the map key and a `name` field inside the message. The CLI defaults `name` to the map key if not set. Should we remove the `name` field from the proto and just use the map key?
+
+## Implementation Steps
+
+### Step 1: Update `sandbox.proto`
+
+- Rewrite `SandboxPolicy` with typed fields on tags 1-6
+- Add new messages: `NetworkPolicyRule`, `NetworkEndpoint`, `NetworkBinary`
+- Change `LandlockPolicy.compatibility` from enum to string
+- Remove old `NetworkPolicy`, `NetworkMode`, `ProxyPolicy`, `ProxyConfig` messages from proto
+- Keep `InferencePolicy`, `GetSandboxPolicyRequest`, `GetSandboxPolicyResponse` as-is
+- Keep `LandlockCompatibility` enum removed (replaced by string field)
+
+### Step 2: Regenerate proto code
+
+- Run `mise run build` (or `cargo build -p navigator-core`) to trigger `tonic_build` codegen
+- The generated `navigator.sandbox.v1.rs` will reflect the new proto shape
+
+### Step 3: Update `dev-sandbox-policy.yaml`
+
+- Expand to include all policy fields (filesystem, landlock, process, network_policies)
+- This becomes the single source of truth
+
+### Step 4: Update CLI (`navigator-cli`)
+
+- Bake `dev-sandbox-policy.yaml` via `include_str!` in `run.rs`
+- Rewrite `DevSandboxPolicyFile` struct and `load_dev_sandbox_policy()` to match new YAML shape
+- Convert parsed YAML → typed `SandboxPolicy` proto (using new proto messages)
+- Support `--sandbox-policy <path>` flag / `NAVIGATOR_SANDBOX_POLICY` env var to override
+- Update `print_sandbox_policy()` and `policy_to_yaml()` for the new proto shape
+- Remove old `DevFilesystemPolicy`, `DevNetworkPolicy`, `DevProxyPolicy`, `DevLandlockPolicy`, `DevProcessPolicy` structs (replace with new ones matching the flat YAML)
+
+### Step 5: Update sandbox (`navigator-sandbox`)
+
+**`policy.rs`:**
+- Update `SandboxPolicy` (internal) and `TryFrom<ProtoSandboxPolicy>` conversion
+- `NetworkMode` / `NetworkPolicy` / `ProxyPolicy` remain as internal types but are no longer derived from proto — instead, the sandbox sets `NetworkMode::Proxy` when `network_policies` is non-empty, `NetworkMode::Block` otherwise
+- Update `FilesystemPolicy`, `LandlockPolicy`, `ProcessPolicy` conversions for new proto shape
+
+**`opa.rs`:**
+- Bake `dev-sandbox-policy.rego` via `include_str!` as `const BAKED_POLICY_RULES: &str`
+- Add a new constructor: `OpaEngine::from_policy_proto(proto: &ProtoSandboxPolicy) -> Result<Self>` that:
+  1. Loads baked rules via `engine.add_policy()`
+  2. Converts proto `network_policies` (and filesystem/landlock/process for rego passthrough compatibility) to JSON matching the `data.sandbox.*` shape the rego rules expect
+  3. Loads the JSON via `engine.add_data_json()`
+- Keep `from_files()` and `from_strings()` for dev/testing
+
+**`lib.rs` (`load_policy`):**
+- In gRPC mode: after fetching proto, construct `OpaEngine` from proto (using new constructor) instead of returning `None`
+- In rego file mode: keep as-is (dev override)
+
+### Step 6: Update server (`navigator-server`)
+
+**`inference.rs`:**
+- The `InferencePolicy` extraction path stays the same (it reads `sandbox.spec.policy.inference`)
+- No changes needed — the server is a passthrough for the policy proto
+
+**`grpc.rs`:**
+- `GetSandboxPolicy` handler stays the same — returns stored proto
+
+### Step 7: Fix compilation across crates
+
+- `navigator-sandbox/src/process.rs` — update references to `policy.network.mode`
+- `navigator-sandbox/src/sandbox/linux/seccomp.rs` — same
+- `navigator-sandbox/src/proxy.rs` — update `ProxyPolicy` usage
+- `navigator-sandbox/src/ssh.rs` — update `SandboxPolicy` usage
+- Test files in `navigator-cli/tests/` and `navigator-server/tests/` — update mock `SandboxPolicy` construction
+- `navigator-core/src/proto/mod.rs` — update re-exports if needed
+
+### Step 8: Delete obsolete files
+
+- `dev-sandbox-policy-data.rego` — replaced by YAML → proto → JSON flow
+- The rego rules file (`dev-sandbox-policy.rego`) stays in the repo but is now baked into the sandbox binary
+
+### Step 9: Tests
+
+- Update existing OPA engine tests to work with proto-based constructor
+- Update CLI policy loading tests
+- Update server integration test mocks for new proto shape
+- Verify `mise run test:rust` passes
+
+### Step 10: Pre-commit and build verification
+
+- `mise run pre-commit`
+- `mise run build`
+- `mise run test`

architecture/plans/sandbox-policy-refactor/plan.md

@@ -38,3 +38,20 @@ run = "uv run ruff format {{vars.python_paths}}"
 ["python:typecheck"]
 description = "Type check Python code with ty"
 run = "uv run ty check {{vars.python_paths}}"
+
+["python:proto"]
+description = "Generate Python protobuf stubs from .proto files"
+env = { UV_NO_SYNC = "1" }
+run = """
+#!/usr/bin/env bash
+set -euo pipefail
+uv run python -m grpc_tools.protoc \
+  -Iproto \
+  --python_out=python/navigator/_proto \
+  --pyi_out=python/navigator/_proto \
+  --grpc_python_out=python/navigator/_proto \
+  proto/inference.proto
+# Fix absolute imports in generated gRPC stubs to use relative imports
+sed -i '' 's/^import inference_pb2/from . import inference_pb2/' \
+  python/navigator/_proto/inference_pb2_grpc.py
+"""