ci(e2e): add MCP conformance coverage

Add a reusable MCP conformance workflow that runs upstream client scenarios
through an OpenShell sandbox.

Add a client image, wrapper, policy template, and expected-failures baseline
for expanding MCP conformance coverage.

Remove stale JSON-RPC e2e policy fields that are no longer accepted.

Signed-off-by: Kris Hicks <khicks@nvidia.com>

Author: krishicks

.github/workflows/branch-e2e.yml

@@ -111,6 +111,16 @@ jobs:
     with:
       image-tag: ${{ github.sha }}
 
+  mcp-conformance:
+    needs: [pr_metadata, build-gateway, build-supervisor]
+    if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true'
+    permissions:
+      contents: read
+      packages: read
+    uses: ./.github/workflows/mcp-conformance.yml
+    with:
+      image-tag: ${{ github.sha }}
+
   kubernetes-ha-e2e:
     needs: [pr_metadata, build-gateway, build-supervisor]
     if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_kubernetes_ha_e2e == 'true'
@@ -126,7 +136,7 @@ jobs:
 
   core-e2e-result:
     name: Core E2E result
-    needs: [pr_metadata, build-gateway, build-supervisor, e2e, kubernetes-e2e]
+    needs: [pr_metadata, build-gateway, build-supervisor, e2e, kubernetes-e2e, mcp-conformance]
     if: always() && needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -136,14 +146,16 @@ jobs:
           BUILD_SUPERVISOR_RESULT: ${{ needs.build-supervisor.result }}
           E2E_RESULT: ${{ needs.e2e.result }}
           KUBERNETES_E2E_RESULT: ${{ needs.kubernetes-e2e.result }}
+          MCP_CONFORMANCE_RESULT: ${{ needs.mcp-conformance.result }}
         run: |
           set -euo pipefail
           failed=0
           for item in \
             "build-gateway:$BUILD_GATEWAY_RESULT" \
             "build-supervisor:$BUILD_SUPERVISOR_RESULT" \
             "e2e:$E2E_RESULT" \
-            "kubernetes-e2e:$KUBERNETES_E2E_RESULT"; do
+            "kubernetes-e2e:$KUBERNETES_E2E_RESULT" \
+            "mcp-conformance:$MCP_CONFORMANCE_RESULT"; do
             name="${item%%:*}"
             result="${item#*:}"
             if [ "$result" != "success" ]; then

.github/workflows/mcp-conformance.yml

@@ -0,0 +1,86 @@
+name: MCP Conformance Test
+
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: "Image tag to test (typically the commit SHA)"
+        required: true
+        type: string
+      runner:
+        description: "GitHub Actions runner label"
+        required: false
+        type: string
+        default: "linux-amd64-cpu8"
+      checkout-ref:
+        description: "Git ref to check out for test inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  mcp-conformance:
+    name: "MCP Conformance (${{ matrix.scenario }})"
+    runs-on: ${{ inputs.runner }}
+    timeout-minutes: 40
+    strategy:
+      fail-fast: false
+      matrix:
+        scenario:
+          - initialize
+          - tools-call
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+      options: --privileged
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+        - /home/runner/_work:/home/runner/_work
+    env:
+      MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      IMAGE_TAG: ${{ inputs.image-tag }}
+      OPENSHELL_REGISTRY: ghcr.io/nvidia/openshell
+      OPENSHELL_REGISTRY_HOST: ghcr.io
+      OPENSHELL_REGISTRY_NAMESPACE: nvidia/openshell
+      OPENSHELL_REGISTRY_USERNAME: ${{ github.actor }}
+      OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      OPENSHELL_SUPERVISOR_IMAGE: ${{ format('ghcr.io/nvidia/openshell/supervisor:{0}', inputs.image-tag) }}
+      OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE: openshell-mcp-conformance-client:${{ github.sha }}
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          ref: ${{ inputs['checkout-ref'] || github.sha }}
+
+      - name: Check out MCP conformance tests
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          repository: modelcontextprotocol/conformance
+          ref: v0.1.11
+          path: .cache/mcp-conformance
+
+      - name: Log in to GHCR with Docker
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Build OpenShell e2e binaries
+        run: |
+          cargo build -p openshell-server --bin openshell-gateway --features openshell-core/dev-settings
+          cargo build -p openshell-cli --bin openshell --features openshell-core/dev-settings
+
+      - name: Build MCP conformance client image
+        run: docker build --pull -f e2e/mcp-conformance/Dockerfile.client -t "${OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE}" .cache/mcp-conformance
+
+      - name: Run MCP conformance through OpenShell
+        uses: modelcontextprotocol/conformance@v0.1.11
+        with:
+          mode: client
+          scenario: ${{ matrix.scenario }}
+          command: bash e2e/mcp-conformance/client-through-openshell.sh
+          expected-failures: e2e/mcp-conformance/expected-failures.yml
+          timeout: "900000"
+          node-version: "22"

e2e/mcp-conformance/Dockerfile.client

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+FROM public.ecr.aws/docker/library/node:22-bookworm-slim
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates iproute2 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Match the sandbox user expected by OpenShell policies and supervisor setup.
+RUN groupadd -g 1000660000 sandbox \
+    && useradd -m -u 1000660000 -g sandbox sandbox
+
+WORKDIR /opt/mcp-conformance
+
+COPY . .
+RUN if [ -f package-lock.json ]; then npm ci; else npm install; fi
+RUN chown -R sandbox:sandbox /opt/mcp-conformance /home/sandbox
+
+USER sandbox
+CMD ["sleep", "infinity"]

e2e/mcp-conformance/README.md

@@ -0,0 +1,26 @@
+# MCP Conformance E2E
+
+This directory contains the OpenShell wrapper for the upstream
+`modelcontextprotocol/conformance` GitHub Action.
+
+The workflow uses conformance client mode. The upstream Action starts a real MCP
+test server, then invokes `client-through-openshell.sh` with that server URL.
+The wrapper starts the Docker-backed OpenShell e2e gateway and runs the upstream
+TypeScript `everything-client` inside an OpenShell sandbox, so the MCP traffic
+crosses the sandbox proxy.
+
+The conformance server URL uses `localhost` from the GitHub Actions job
+container's perspective. Sandboxes run in separate Docker containers, so the
+wrapper rewrites local URLs to `host.openshell.internal`, the alias that
+`e2e/with-docker-gateway.sh` attaches to the job container on the e2e Docker
+network.
+
+The generated policy allows valid JSON-RPC requests to the conformance server
+with `rpc_method: "*"`. That keeps OpenShell deny-by-default at the network
+boundary while allowing the upstream scenarios to exercise MCP behavior. The
+policy body lives in `policy-template.yaml`; the wrapper renders its host, port,
+and path placeholders from the upstream server URL.
+
+When enabling broader upstream suites, add scenarios that OpenShell does not yet
+support through the JSON-RPC proxy to `expected-failures.yml`. The upstream
+runner treats listed failures as allowed and treats stale entries as failures.

e2e/mcp-conformance/client-through-openshell.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Runs the upstream MCP conformance client through an OpenShell sandbox.
+#
+# The modelcontextprotocol/conformance GitHub Action starts a real MCP test
+# server in the GitHub Actions job container and invokes this script with that
+# server URL. This script starts the normal Docker-backed OpenShell e2e gateway,
+# creates a sandbox from the prebuilt conformance client image, and runs the
+# upstream TypeScript everything-client inside that sandbox. That keeps the MCP
+# client/server traffic in the OpenShell proxy data path.
+#
+# Conformance server URLs usually point at localhost in the job container.
+# Sandboxes are separate Docker containers, so localhost would point back at the
+# sandbox itself. The wrapper rewrites local URLs to host.openshell.internal,
+# which e2e/with-docker-gateway.sh attaches to the job container on the e2e
+# Docker network.
+
+set -euo pipefail
+
+usage() {
+  echo "usage: $0 <conformance-server-url>" >&2
+}
+
+if [ "$#" -ne 1 ]; then
+  usage
+  exit 2
+fi
+
+# Parse the conformance runner's server URL and render the OpenShell policy.
+prepare_conformance_target() {
+  local server_url=$1
+  local policy_file=$2
+  local policy_template=$3
+
+  python3 - "${server_url}" "${policy_file}" "${policy_template}" <<'PY'
+import json
+import string
+import sys
+from pathlib import Path
+from urllib.parse import urlparse, urlunparse
+
+raw_url, policy_file, policy_template = sys.argv[1:4]
+parsed = urlparse(raw_url)
+
+if parsed.scheme not in ("http", "https"):
+    raise SystemExit(f"unsupported conformance server URL scheme: {parsed.scheme!r}")
+
+host = parsed.hostname
+if not host:
+    raise SystemExit(f"conformance server URL is missing a host: {raw_url}")
+
+target_host = "host.openshell.internal" if host in {"localhost", "127.0.0.1", "::1"} else host
+port = parsed.port or (443 if parsed.scheme == "https" else 80)
+path = parsed.path or "/"
+netloc_host = f"[{target_host}]" if ":" in target_host and not target_host.startswith("[") else target_host
+netloc = f"{netloc_host}:{port}"
+rewritten = urlunparse((parsed.scheme, netloc, path, parsed.params, parsed.query, parsed.fragment))
+
+template = string.Template(Path(policy_template).read_text(encoding="utf-8"))
+policy = template.substitute(
+    host=json.dumps(target_host),
+    port=str(port),
+    path=json.dumps(path),
+)
+Path(policy_file).write_text(policy, encoding="utf-8")
+
+print(rewritten)
+PY
+}
+
+SERVER_URL="$1"
+CLIENT_IMAGE="${OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE:?set OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE to the prebuilt conformance client image}"
+ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+POLICY_TEMPLATE="${ROOT}/e2e/mcp-conformance/policy-template.yaml"
+
+POLICY_FILE="$(mktemp "${TMPDIR:-/tmp}/openshell-mcp-conformance-policy.XXXXXX.yaml")"
+trap 'rm -f "${POLICY_FILE}"' EXIT
+
+CLIENT_SERVER_URL="$(prepare_conformance_target "${SERVER_URL}" "${POLICY_FILE}" "${POLICY_TEMPLATE}")"
+
+ENV_ARGS=()
+# These environment variables are set by the upstream conformance test runner
+# before it invokes the configured client command. Forward them into the
+# sandbox because the sandboxed TypeScript client depends on them to select the
+# scenario and read scenario-specific context.
+for NAME in MCP_CONFORMANCE_SCENARIO MCP_CONFORMANCE_CONTEXT MCP_CONFORMANCE_PROTOCOL_VERSION; do
+  if [ -n "${!NAME+x}" ]; then
+    ENV_ARGS+=(--env "${NAME}=${!NAME}")
+  fi
+done
+
+# shellcheck source=e2e/support/gateway-common.sh disable=SC1091
+source "${ROOT}/e2e/support/gateway-common.sh"
+TARGET_DIR="$(e2e_cargo_target_dir "${ROOT}")"
+OPENSHELL_BIN="${OPENSHELL_BIN:-${TARGET_DIR}/debug/openshell}"
+export OPENSHELL_E2E_DOCKER_SANDBOX_IMAGE="${OPENSHELL_E2E_DOCKER_SANDBOX_IMAGE:-${CLIENT_IMAGE}}"
+
+# shellcheck disable=SC2016
+"${ROOT}/e2e/with-docker-gateway.sh" \
+  "${OPENSHELL_BIN}" sandbox create \
+  --from "${CLIENT_IMAGE}" \
+  --policy "${POLICY_FILE}" \
+  "${ENV_ARGS[@]}" \
+  -- \
+  sh -c 'cd /opt/mcp-conformance && exec ./node_modules/.bin/tsx examples/clients/typescript/everything-client.ts "$1"' \
+  sh "${CLIENT_SERVER_URL}"

e2e/mcp-conformance/expected-failures.yml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Add client scenarios here when enabling broader MCP conformance suites that
+# exercise features OpenShell does not yet support through the JSON-RPC proxy.
+client: []
+server: []

e2e/mcp-conformance/policy-template.yaml

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+version: 1
+
+filesystem_policy:
+  include_workdir: true
+  read_only:
+    - /bin
+    - /usr
+    - /lib
+    - /lib64
+    - /proc
+    - /sys
+    - /dev/urandom
+    - /etc
+    - /opt
+    - /var/log
+  read_write:
+    - /sandbox
+    - /tmp
+    - /dev/null
+    - /home/sandbox
+
+landlock:
+  compatibility: best_effort
+
+process:
+  run_as_user: sandbox
+  run_as_group: sandbox
+
+network_policies:
+  mcp_conformance:
+    name: mcp_conformance
+    endpoints:
+      - host: ${host}
+        port: ${port}
+        path: ${path}
+        protocol: json-rpc
+        enforcement: enforce
+        allowed_ips:
+          - "10.0.0.0/8"
+          - "172.0.0.0/8"
+          - "192.168.0.0/16"
+          - "fc00::/7"
+        json_rpc:
+          max_body_bytes: 131072
+        rules:
+          - allow:
+              rpc_method: "*"
+    binaries:
+      - path: /bin/sh
+      - path: /usr/bin/env
+      - path: /usr/local/bin/node
+      - path: /usr/bin/node
+      - path: /opt/mcp-conformance/node_modules/.bin/*

e2e/rust/tests/forward_proxy_jsonrpc_l7.rs

@@ -102,8 +102,6 @@ network_policies:
           - "fc00::/7"
         json_rpc:
           max_body_bytes: 65536
-          on_parse_error: deny
-          batch_policy: deny_if_any_denied
         rules:
           - allow:
               rpc_method: initialize
@@ -318,7 +316,7 @@ results = {{
         {{"jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": {{"name": "blocked_action"}}}},
     ]),
 
-    # forward proxy — invalid JSON body denied by on_parse_error: deny
+    # forward proxy — invalid JSON body fails closed before generic rules apply
     "forward_invalid_json_denied": post_invalid_json(),
 
     # CONNECT path — representative allowed and denied cases