Agent Diagnostic
Used the create-github-issue and openshell-cli workflows. Investigated a local Kubernetes gateway at http://localhost:8080 with two Ready sandboxes:
impish-amphibianwarranted-moonfish
Verified global settings:
{
"scope": "global",
"settings": {
"ocsf_json_enabled": "true"
},
"settings_revision": 1
}Observed behavior:
impish-amphibian eventually wrote OCSF JSONL records after the global setting changed while the sandbox was already running.warranted-moonfish was created after global ocsf_json_enabled=true; it created /var/log/openshell-ocsf.2026-06-15.log, but the file stayed 0 bytes despite OCSF events appearing in openshell logs.settings get warranted-moonfish --json showed effective ocsf_json_enabled=true from global scope.- Forcing an unrelated sandbox config revision with
agent_policy_proposals_enabled=false caused the sandbox poll loop to log OCSF JSONL logging toggled ocsf_json_enabled=true; after a later OCSF event, /var/log/openshell-ocsf.2026-06-15.log became populated.
- Removed the temporary sandbox setting afterward; effective state returned to global
ocsf_json_enabled=true and agent_policy_proposals_enabled=<unset>.
Code investigation:
crates/openshell-sandbox/src/main.rs creates the JSONL file/layer eagerly but initializes the shared ocsf_enabled flag to false.crates/openshell-ocsf/src/tracing_layers/jsonl_layer.rs discards OCSF events while that flag is false.crates/openshell-sandbox/src/lib.rs::run_policy_poll_loop performs an initial poll_settings() and stores current_config_revision, current_policy_hash, and current_settings, but does not apply ocsf_json_enabled from that initial result.- The OCSF toggle is only applied later inside the config-revision-changed path. If a sandbox starts after the global setting is already true, there may be no later revision change, so JSONL remains disabled indefinitely.
Related issues checked: no exact open duplicate found. #1055 is related broader observability roadmap work.
Description
Actual behavior: A sandbox created after global ocsf_json_enabled=true creates the OCSF JSONL file but does not write records until some later config revision change occurs. This makes the JSONL export appear enabled from the gateway while it is disabled in the running sandbox.
Expected behavior: If effective settings include ocsf_json_enabled=true during sandbox startup, the sandbox should enable OCSF JSONL before or during the initial settings application, without requiring a later unrelated settings/policy revision.
Reproduction Steps
- Start a gateway and create a Kubernetes-backed sandbox, or use any driver where
/var/log is writable.
- Enable global OCSF JSONL:
openshell --gateway-endpoint http://localhost:8080 settings set --global --key ocsf_json_enabled --value true
- Create a new sandbox after the global setting is already true.
- Confirm the gateway reports effective setting true:
openshell --gateway-endpoint http://localhost:8080 settings get <sandbox> --json
- Generate OCSF events, for example with exec/connect activity or a denied network request.
- Inspect the file:
openshell --gateway-endpoint http://localhost:8080 sandbox exec -n <sandbox> -- \
/bin/sh -lc 'wc -c /var/log/openshell-ocsf.*.log; tail -n 5 /var/log/openshell-ocsf.*.log'
- Observe that the file exists but remains
0 bytes until another config revision is applied.
Environment
- OpenShell gateway:
0.0.64-dev.6+ged65bfd86
- Gateway endpoint used for validation:
http://localhost:8080
- Driver/runtime: Kubernetes local cluster
- Sandbox image observed:
ghcr.io/nvidia/openshell-community/sandboxes/base:latest
- Date observed: 2026-06-15
Logs
Initial empty file on warranted-moonfish:
sandbox=warranted-moonfish
-rw-r--r-- 1 root root 0 Jun 15 22:56 openshell-ocsf.2026-06-15.log
0 /var/log/openshell-ocsf.2026-06-15.log
Effective settings at the same time:
{
"sandbox": "warranted-moonfish",
"settings": {
"ocsf_json_enabled": {
"scope": "global",
"value": "true"
}
}
}After forcing a sandbox config revision:
[sandbox] [INFO ] [openshell_sandbox] OCSF JSONL logging toggled ocsf_json_enabled=true
13329 /var/log/openshell-ocsf.2026-06-15.log
Proposed Fix
Apply effective settings from the initial poll_settings() result in run_policy_poll_loop, including ocsf_json_enabled, before storing the initial revision as current. At minimum, extract ocsf_json_enabled from the initial settings response and update ctx.ocsf_enabled immediately.
Add regression coverage for a sandbox whose first settings poll returns ocsf_json_enabled=true, verifying the JSONL layer is enabled without requiring a subsequent config revision change.
Agent Diagnostic
Used the
create-github-issueandopenshell-cliworkflows. Investigated a local Kubernetes gateway athttp://localhost:8080with two Ready sandboxes:impish-amphibianwarranted-moonfishVerified global settings:
{ "scope": "global", "settings": { "ocsf_json_enabled": "true" }, "settings_revision": 1 }Observed behavior:
impish-amphibianeventually wrote OCSF JSONL records after the global setting changed while the sandbox was already running.warranted-moonfishwas created after globalocsf_json_enabled=true; it created/var/log/openshell-ocsf.2026-06-15.log, but the file stayed0bytes despite OCSF events appearing inopenshell logs.settings get warranted-moonfish --jsonshowed effectiveocsf_json_enabled=truefrom global scope.agent_policy_proposals_enabled=falsecaused the sandbox poll loop to logOCSF JSONL logging toggled ocsf_json_enabled=true; after a later OCSF event,/var/log/openshell-ocsf.2026-06-15.logbecame populated.ocsf_json_enabled=trueandagent_policy_proposals_enabled=<unset>.Code investigation:
crates/openshell-sandbox/src/main.rscreates the JSONL file/layer eagerly but initializes the sharedocsf_enabledflag tofalse.crates/openshell-ocsf/src/tracing_layers/jsonl_layer.rsdiscards OCSF events while that flag is false.crates/openshell-sandbox/src/lib.rs::run_policy_poll_loopperforms an initialpoll_settings()and storescurrent_config_revision,current_policy_hash, andcurrent_settings, but does not applyocsf_json_enabledfrom that initial result.Related issues checked: no exact open duplicate found. #1055 is related broader observability roadmap work.
Description
Actual behavior: A sandbox created after global
ocsf_json_enabled=truecreates the OCSF JSONL file but does not write records until some later config revision change occurs. This makes the JSONL export appear enabled from the gateway while it is disabled in the running sandbox.Expected behavior: If effective settings include
ocsf_json_enabled=trueduring sandbox startup, the sandbox should enable OCSF JSONL before or during the initial settings application, without requiring a later unrelated settings/policy revision.Reproduction Steps
/var/logis writable.0bytes until another config revision is applied.Environment
0.0.64-dev.6+ged65bfd86http://localhost:8080ghcr.io/nvidia/openshell-community/sandboxes/base:latestLogs
Initial empty file on
warranted-moonfish:Effective settings at the same time:
{ "sandbox": "warranted-moonfish", "settings": { "ocsf_json_enabled": { "scope": "global", "value": "true" } } }After forcing a sandbox config revision:
Proposed Fix
Apply effective settings from the initial
poll_settings()result inrun_policy_poll_loop, includingocsf_json_enabled, before storing the initial revision as current. At minimum, extractocsf_json_enabledfrom the initial settings response and updatectx.ocsf_enabledimmediately.Add regression coverage for a sandbox whose first settings poll returns
ocsf_json_enabled=true, verifying the JSONL layer is enabled without requiring a subsequent config revision change.