feat(policy): add runtime baseline conflict controls

[elezar]

Summary

Adds explicit filesystem policy controls for runtime baseline conflicts as an alternative to #1522. The default permits /proc read-only to read-write promotion for runtime baseline needs, while other conflicts such as device-node promotions require explicit policy opt-in.

Related Issue

Resolves #1486
Alternative to #1522.

Changes

• Adds filesystem_policy.runtime_baseline_conflicts.read_only_to_read_write with reject_unlisted, promote_all, and reject_all modes.
• Defaults omitted configuration to reject_unlisted with /proc in allow_promotion.
• Rejects unlisted runtime baseline read-only to read-write conflicts and surfaces the startup error through policy enrichment.
• Adds a follow-up commit that normalizes baseline conflict path comparisons and promotion patterns.
• Updates policy schema and security architecture docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1629.docs.buildwithfern.com/openshell

[elezar]

gator-agent

PR Review Status

Validation: this is maintainer-authored, project-valid policy/sandbox work for #1486, adding explicit runtime baseline conflict controls while preserving a default-deny posture for device-node promotion.
Head SHA: f7ff30804ccdbce0968524bc304d4307f77d1dba

Review findings:

• Blocking: crates/openshell-sandbox/src/lib.rs uses glob::Pattern, but the diff only shows glob added to crates/openshell-policy/Cargo.toml. If openshell-sandbox does not already directly depend on glob, this will fail to compile. Please add glob = { workspace = true } to crates/openshell-sandbox/Cargo.toml or otherwise remove that direct dependency.
• Warning: the OPA/local-policy path parses runtime_baseline_conflicts without the same validation as the YAML/proto path, and unknown modes appear to fall into allow-list behavior. Please make invalid modes/patterns fail closed or return a startup error so all policy ingress paths match.
• Warning: live-update validation compares the raw optional runtime_baseline_conflicts value, so omitted config and the documented explicit default can be treated as different. Please compare canonical effective values for no-op updates.

Docs: Fern policy reference and sandbox policy docs were updated; no navigation change appears needed.
E2E: test:e2e is being applied because this changes policy enforcement behavior.

Next state: gator:in-review

[github-actions]

Label test:e2e applied for f7ff308. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.