Agent Diagnostic
Pointed an agent at the repo and traced the create-sandbox label flow across the gateway and compute drivers (codebase exploration + openshell-cli knowledge).
openshell sandbox create --label k=v sends the label in CreateSandboxRequest.labels (crates/openshell-cli/src/main.rs → run.rs::sandbox_create).
- In the gateway,
handle_create_sandbox_inner (crates/openshell-server/src/grpc/sandbox.rs) stores those labels only in ObjectMeta.labels (sandbox metadata used for CLI filtering / --selector). They were never copied into SandboxTemplate.labels.
SandboxTemplate.labels is the backend-neutral field documented as "Labels applied to compute-platform resources", mapped to DriverSandboxTemplate.labels in crates/openshell-server/src/compute/mod.rs (driver_sandbox_template_from_public).
- Drivers consume
template.labels: the Kubernetes driver applies them to pod metadata (crates/openshell-driver-kubernetes/src/driver.rs), the Docker driver to container labels (crates/openshell-driver-docker/src/lib.rs). The VM driver ignores them.
- Root cause: the CLI never populates
template.labels, and the gateway never bridges request.labels → template.labels. So there was no path for a user-supplied --label to reach the pod/container; it only ever became sandbox metadata.
Description
Actual behavior: openshell sandbox create --label env=dev records env=dev as sandbox metadata (visible via openshell sandbox list --selector env=dev), but the label is not applied to the underlying Kubernetes pod (or Docker container). kubectl get pods -l env=dev returns nothing.
Expected behavior: User-supplied labels are applied to the underlying compute resource (pod / container) in addition to being stored as sandbox metadata, so operators can select the workload with native platform tooling.
Reproduction Steps
- Register/select a Kubernetes-backed gateway.
openshell sandbox create --label env=dev -- claude
kubectl get pods -l env=dev -n <sandbox-namespace>
- Observe: no pod matches the label, even though
openshell sandbox list --selector env=dev shows the sandbox.
Environment
- OS: any (code-level bug, platform-independent)
- Compute driver: Kubernetes (Docker affected the same way; VM driver has no label support)
- OpenShell:
main branch
Logs
No error is emitted — the labels are silently confined to sandbox metadata.
Agent-First Checklist
Agent Diagnostic
Pointed an agent at the repo and traced the create-sandbox label flow across the gateway and compute drivers (codebase exploration +
openshell-cliknowledge).openshell sandbox create --label k=vsends the label inCreateSandboxRequest.labels(crates/openshell-cli/src/main.rs→run.rs::sandbox_create).handle_create_sandbox_inner(crates/openshell-server/src/grpc/sandbox.rs) stores those labels only inObjectMeta.labels(sandbox metadata used for CLI filtering /--selector). They were never copied intoSandboxTemplate.labels.SandboxTemplate.labelsis the backend-neutral field documented as "Labels applied to compute-platform resources", mapped toDriverSandboxTemplate.labelsincrates/openshell-server/src/compute/mod.rs(driver_sandbox_template_from_public).template.labels: the Kubernetes driver applies them to pod metadata (crates/openshell-driver-kubernetes/src/driver.rs), the Docker driver to container labels (crates/openshell-driver-docker/src/lib.rs). The VM driver ignores them.template.labels, and the gateway never bridgesrequest.labels→template.labels. So there was no path for a user-supplied--labelto reach the pod/container; it only ever became sandbox metadata.Description
Actual behavior:
openshell sandbox create --label env=devrecordsenv=devas sandbox metadata (visible viaopenshell sandbox list --selector env=dev), but the label is not applied to the underlying Kubernetes pod (or Docker container).kubectl get pods -l env=devreturns nothing.Expected behavior: User-supplied labels are applied to the underlying compute resource (pod / container) in addition to being stored as sandbox metadata, so operators can select the workload with native platform tooling.
Reproduction Steps
openshell sandbox create --label env=dev -- claudekubectl get pods -l env=dev -n <sandbox-namespace>openshell sandbox list --selector env=devshows the sandbox.Environment
mainbranchLogs
Agent-First Checklist
openshell-cli) and traced the create-sandbox flow across the gateway and compute drivers