Implement the final integration for GPU passthrough support:
- Add put_vfio_device() API function for PUT /vfio/{device_id}
- Wire prepare_gpu_attachment() into do_create_inner()
- Enable supports_gpu in Firecracker capabilities
- Update spec compatibility checks and tests

This completes blockers NVIDIA#1 (GPU attachment not wired) and NVIDIA#2
(VFIO device attachment API not implemented).

Signed-off-by: OpenCode Agent <opencode@nvidia.com>

…DIA#5)

- Add SPDX copyright header to .github/workflows/dco.yml
- Add DCO sign-off requirement section to CONTRIBUTING.md
- Create THIRD-PARTY-NOTICES with all third-party dependencies
- Include .github/ in license header CI check scope

feat(podman): add Podman support as alternative container runtime

docs(podman): Add macOS installation guide and Podman build compatibility

1. Separate client_id from audience (Critical/High, findings NVIDIA#1/NVIDIA#3):
   - Add oidc_audience field to GatewayMetadata separate from oidc_client_id
   - Bootstrap stores client_id and audience independently
   - Fixes the conflation that made the docs overstate provider portability

2. Skip list risk documentation (Critical, finding NVIDIA#2):
   - The skip list is by design for sandbox supervisor RPCs which use
     SSH handshake secrets. Noted for future hardening with per-sandbox
     credentials.

3. Reject partial-empty RBAC config (Medium, finding NVIDIA#4):
   - AuthzPolicy::validate() rejects configs where only one of
     admin_role/user_role is set
   - Server validates at startup before accepting requests
   - Prevents silently opening admin endpoints to any authenticated user

4. Preserve refresh token on refresh (Medium, finding NVIDIA#5):
   - oidc_refresh_token() keeps the old refresh_token when the server
     doesn't return a new one, per OAuth 2.0 spec

5. Additional concerns:
   - Percent-decode callback query parameters (code, state, error)
   - Drop scope=openid from client_credentials flow
   - Use /dev/urandom for PKCE verifier/state on Unix
   - Validate discovery issuer matches configured issuer (both server
     and CLI) to prevent SSRF/misdirection
   - Wire RBAC config (rolesClaim, adminRole, userRole) through Helm
     values and statefulset template

1. Critical: sandbox RPCs now require x-sandbox-secret header (NVIDIA#1):
   - Split skip list into unauthenticated (health/reflection) and
     sandbox-secret (supervisor RPCs) categories
   - Sandbox RPCs require x-sandbox-secret header matching the server's
     SSH handshake secret
   - Sandbox gRPC client injects the secret via SandboxSecretInterceptor
   - Unauthenticated network callers can no longer reach sandbox RPCs

2. High: complete client_id vs audience separation (NVIDIA#2):
   - Add --oidc-audience flag to gateway add (separate from --oidc-client-id)
   - Store oidc_audience in gateway metadata independently
   - Thread audience through bootstrap metadata correctly

3. Medium: propagate RBAC settings through bootstrap (NVIDIA#3):
   - Add oidc_roles_claim, oidc_admin_role, oidc_user_role to DeployOptions
   - Pass OIDC_ROLES_CLAIM, OIDC_ADMIN_ROLE, OIDC_USER_ROLE env vars
     through Docker container → cluster-entrypoint.sh → HelmChart manifest
   - Full provider-neutral RBAC config now works via gateway start

4. Low: cross-platform CSPRNG (NVIDIA#4):
   - Replace /dev/urandom + RandomState fallback with getrandom crate
   - Works correctly on all platforms (Linux, macOS, Windows)

1. High: UpdateConfig dual-auth for sandbox policy sync (NVIDIA#1):
   - Add DUAL_AUTH_METHODS list for RPCs that accept either Bearer
     token (CLI users) or sandbox secret (supervisor)
   - UpdateConfig now works for both CLI policy mutations and
     sandbox startup policy sync in OIDC deployments

2. Medium: end-to-end client_id vs audience separation (NVIDIA#2):
   - Thread optional audience parameter through oidc_browser_auth_flow
     and oidc_client_credentials_flow
   - gateway login reads oidc_audience from metadata and passes it
     to the auth/token requests
   - Adds audience parameter to authorization URL for providers
     that require it (Entra ID)

3. Medium: gateway start exposes full OIDC RBAC config (NVIDIA#3):
   - Add --oidc-client-id, --oidc-roles-claim, --oidc-admin-role,
     --oidc-user-role flags to gateway start
   - Thread all values through gateway_admin_deploy into DeployOptions
   - Stop hardcoding "openshell-cli" as client_id in bootstrap metadata

…drafts

Three things in one commit, all surfaced by running the demo end-to-end
against a real gateway and finding the agent had to draft a broader
second proposal.

1. /wait race fix. Previously /wait returned `approved` the moment it
   observed the gateway's chunk status flip, but the local supervisor
   reloads policy on its own poll cycle (~10s in practice). The agent's
   retry would race the reload and hit the still-old policy, getting
   denied. Codex then drafted a broader rule and re-submitted — sound
   agent behavior, but not what /wait should provoke. Now /wait captures
   the local policy version at start, and after observed-approved waits
   for the supervisor to load a strictly-newer version before returning.
   Bounded by the caller's deadline; best-effort return if the deadline
   elapses without the version bumping. Two new unit tests pin the
   happy path and the deadline-clamped fallback.

2. demo.sh auto-approve loop. Replaces approve_when_pending +
   wait_for_agent with one approve_pending_until_agent_exits function
   that keeps watching for pending chunks and approving them until the
   agent process exits (or the configured timeout). Defense in depth
   against future redraft scenarios for any reason; today (post-fix #1)
   the agent should only submit one proposal per task, but we don't
   want to hang silently if it does submit more.

3. UX. Step headers now carry "[t+1.2s]" relative timestamps so reading
   the run output makes latency visible (the demo's whole point is the
   wait is cheap — surface that). A spin_wait helper renders an ASCII
   spinner during the watch loop so the demo never looks frozen on a
   TTY. Falls back to plain sleep on non-TTY contexts.

Closes the race condition diagnosed from the trace timing where the
gateway approved at t+0, sandbox observed at t+0.3s, but the supervisor
didn't load v2 until t+9.4s — well after the agent had already retried
and been denied.

Signed-off-by: Alexander Watson <zredlined@gmail.com>