OpenShell 0.0.70 sandbox bootstrap failure: IssueSandboxToken rejects pods due to CRD API version mismatch

[jnpacker]

Agent Diagnostic

The OpenShell gateway (0.0.70) hardcodes agents.x-k8s.io/v1alpha1 when validating sandbox pod ownerReferences during the IssueSandboxToken bootstrap exchange. Agent-sandbox v0.5.0 graduated the CRD to v1beta1, so the controller now sets apiVersion: agents.x-k8s.io/v1beta1 on pod ownerReferences. The gateway's check fails with PERMISSION_DENIED, which the supervisor surfaces as Policy fetch failed: IssueSandboxToken bootstrap exchange failed.

Description

WORKAROUND: Pin agent-sandbox to v0.4.6 (last v1alpha1-only release). Requires deleting the existing CRD and agent-sandbox-system namespace before reinstalling — in-place downgrade is blocked by K8s storage version migration rules.

I wasn't sure if the intention is to move OpenShell to v1beta1 or pin the sandbox, otherwise I would have suggested a further solution.

Reproduction Steps

1. Upgraded my in cluster OpenShell to 0.0.7 (helm chart)
2. Tried to create a Sandbox

Seemed like this was affecting when I backed out the openshell version, because the sandbox is not pinned in the chart.

Environment

• Kube
• Kind cluster

Logs

IssueSandboxToken bootstrap exchange

Agent-First Checklist

• I pointed my agent at the repo and had it investigate this issue
• I loaded relevant skills (e.g., debug-openshell-cluster, debug-inference, openshell-cli)
• My agent could not resolve this — the diagnostic above explains why

[TaylorMutch]

#2009 is already opened to address this.