feat(gateway): support adding remote and local gateways (#262)

Author: drew

crates/navigator-bootstrap/src/docker.rs

@@ -121,6 +121,71 @@ pub async fn create_ssh_docker_client(remote: &RemoteOptions) -> Result<Docker>
         .wrap_err("failed to negotiate Docker API version with remote daemon")
 }
 
+/// Find the running openshell gateway container by image name.
+///
+/// Lists all running containers and returns the name of the one whose image
+/// contains `openshell/cluster`. When `port` is provided, only containers
+/// with a matching host port binding are considered — this disambiguates
+/// when multiple gateway containers are running on the same host.
+///
+/// Fails if zero or multiple containers match.
+pub async fn find_gateway_container(docker: &Docker, port: Option<u16>) -> Result<String> {
+    let containers = docker
+        .list_containers(Some(ListContainersOptionsBuilder::new().all(false).build()))
+        .await
+        .into_diagnostic()
+        .wrap_err("failed to list Docker containers")?;
+
+    let is_gateway_image = |c: &bollard::models::ContainerSummary| {
+        c.image
+            .as_deref()
+            .is_some_and(|img| img.contains("openshell/cluster"))
+    };
+
+    let has_port = |c: &bollard::models::ContainerSummary, p: u16| {
+        c.ports
+            .as_deref()
+            .unwrap_or_default()
+            .iter()
+            .any(|binding| binding.public_port == Some(p))
+    };
+
+    let container_name = |c: &bollard::models::ContainerSummary| {
+        c.names
+            .as_ref()
+            .and_then(|n| n.first())
+            .map(|n| n.trim_start_matches('/').to_string())
+    };
+
+    let matches: Vec<String> = containers
+        .iter()
+        .filter(|c| is_gateway_image(c) && port.map_or(true, |p| has_port(c, p)))
+        .filter_map(container_name)
+        .collect();
+
+    match matches.len() {
+        0 => {
+            let hint = if let Some(p) = port {
+                format!(
+                    "No openshell gateway container found listening on port {p}.\n\
+                     Is the gateway running? Check with: docker ps"
+                )
+            } else {
+                "No openshell gateway container found.\n\
+                 Is the gateway running? Check with: docker ps"
+                    .to_string()
+            };
+            Err(miette::miette!("{hint}"))
+        }
+        1 => Ok(matches.into_iter().next().unwrap()),
+        _ => Err(miette::miette!(
+            "Found multiple openshell gateway containers: {}\n\
+             Specify the port in the endpoint URL to select one (e.g. https://host:8080).",
+            matches.join(", ")
+        )),
+    }
+}
+
 pub async fn ensure_network(docker: &Docker) -> Result<()> {
     // Always remove and recreate the network to guarantee a clean state.
     // Stale Docker networks (e.g., from a previous interrupted destroy or

crates/navigator-bootstrap/src/lib.rs

@@ -33,8 +33,7 @@ use crate::docker::{
     ensure_image, ensure_network, ensure_volume, start_container, stop_container,
 };
 use crate::metadata::{
-    create_gateway_metadata, create_gateway_metadata_with_host, extract_host_from_ssh_destination,
-    local_gateway_host, resolve_ssh_hostname,
+    create_gateway_metadata, create_gateway_metadata_with_host, local_gateway_host,
 };
 use crate::mtls::store_pki_bundle;
 use crate::pki::generate_pki;
@@ -46,9 +45,10 @@ use crate::runtime::{
 pub use crate::constants::container_name;
 pub use crate::docker::{ExistingGatewayInfo, create_ssh_docker_client};
 pub use crate::metadata::{
-    GatewayMetadata, clear_active_gateway, get_gateway_metadata, list_gateways,
-    load_active_gateway, load_gateway_metadata, load_last_sandbox, remove_gateway_metadata,
-    save_active_gateway, save_last_sandbox, store_gateway_metadata,
+    GatewayMetadata, clear_active_gateway, extract_host_from_ssh_destination, get_gateway_metadata,
+    list_gateways, load_active_gateway, load_gateway_metadata, load_last_sandbox,
+    remove_gateway_metadata, resolve_ssh_hostname, save_active_gateway, save_last_sandbox,
+    store_gateway_metadata,
 };
 
 /// Options for remote SSH deployment.
@@ -479,6 +479,30 @@ pub async fn gateway_handle(name: &str, remote: Option<&RemoteOptions>) -> Resul
     })
 }
 
+/// Extract mTLS certificates from an existing gateway container and store
+/// them locally so the CLI can connect.
+///
+/// Connects to Docker (local or remote via SSH), auto-discovers the running
+/// gateway container by image name (narrowed by `port` when provided), reads
+/// the PKI bundle from Kubernetes secrets inside it, and writes the client
+/// materials (ca.crt, tls.crt, tls.key) to the gateway config directory.
+pub async fn extract_and_store_pki(
+    name: &str,
+    remote: Option<&RemoteOptions>,
+    port: Option<u16>,
+) -> Result<()> {
+    let docker = match remote {
+        Some(r) => create_ssh_docker_client(r).await?,
+        None => Docker::connect_with_local_defaults().into_diagnostic()?,
+    };
+    let cname = docker::find_gateway_container(&docker, port).await?;
+    let bundle = load_existing_pki_bundle(&docker, &cname, constants::KUBECONFIG_PATH)
+        .await
+        .map_err(|e| miette::miette!("Failed to extract TLS certificates: {e}"))?;
+    store_pki_bundle(name, &bundle)?;
+    Ok(())
+}
+
 pub async fn ensure_gateway_image(version: &str, registry_token: Option<&str>) -> Result<String> {
     let docker = Docker::connect_with_local_defaults().into_diagnostic()?;
     let image_ref = format!("{}:{version}", image::DEFAULT_GATEWAY_IMAGE);

crates/navigator-cli/src/bootstrap.rs

@@ -4,14 +4,14 @@
 //! Auto-bootstrap helpers for sandbox creation.
 //!
 //! When `sandbox create` cannot reach a gateway, these helpers determine whether
-//! to offer gateway bootstrap, prompt the user for confirmation, and execute the
-//! local or remote bootstrap flow.
+//! to attempt gateway bootstrap and execute the local or remote bootstrap flow.
+//! Bootstrap proceeds automatically unless the user opts out with `--no-bootstrap`.
 
-use crate::tls::TlsOptions;
-use dialoguer::Confirm;
+use std::time::Duration;
+
+use crate::tls::{TlsOptions, grpc_client};
 use miette::Result;
 use owo_colors::OwoColorize;
-use std::io::IsTerminal;
 
 use crate::run::{deploy_gateway_with_panel, print_deploy_summary};
 
@@ -95,46 +95,55 @@ fn is_connectivity_error(error: &miette::Report) -> bool {
     connectivity_patterns.iter().any(|p| lower.contains(p))
 }
 
-/// Prompt the user to confirm gateway bootstrap.
+/// Decide whether gateway bootstrap should proceed.
 ///
-/// When `override_value` is `Some(true)` or `Some(false)`, the decision is
-/// made immediately (from `--bootstrap` / `--no-bootstrap`). Otherwise,
-/// prompts interactively when stdin is a terminal, or returns an error in
-/// non-interactive mode.
+/// When `override_value` is `Some(false)` (from `--no-bootstrap`), returns
+/// `false` to skip bootstrap. Otherwise returns `true` — a gateway is created
+/// automatically without prompting the user.
 pub fn confirm_bootstrap(override_value: Option<bool>) -> Result<bool> {
-    // Explicit flag takes precedence over interactive detection.
-    if let Some(value) = override_value {
-        return Ok(value);
-    }
-
-    if !std::io::stdin().is_terminal() {
-        return Err(miette::miette!(
-            "Gateway not reachable and bootstrap requires confirmation from an interactive terminal.\n\
-              Pass --bootstrap to auto-confirm, or run 'openshell gateway start' first."
-        ));
+    if let Some(false) = override_value {
+        return Ok(false);
     }
+    Ok(true)
+}
 
-    let confirmed = Confirm::new()
-        .with_prompt(format!(
-            "{} No gateway available to launch sandbox in. Create one now?",
-            "!".yellow()
-        ))
-        .default(true)
-        .interact()
-        .map_err(|e| miette::miette!("failed to read confirmation: {e}"))?;
-
-    Ok(confirmed)
+/// Resolve the gateway name for bootstrap.
+///
+/// Respects `$OPENSHELL_GATEWAY` if set, otherwise falls back to the default.
+fn resolve_bootstrap_name() -> String {
+    std::env::var("OPENSHELL_GATEWAY")
+        .ok()
+        .filter(|v| !v.trim().is_empty())
+        .unwrap_or_else(|| DEFAULT_GATEWAY_NAME.to_string())
 }
 
 /// Bootstrap a local gateway and return refreshed TLS options that pick up the
-/// newly-written mTLS certificates.
+/// newly-written mTLS certificates, along with the gateway name used.
 pub async fn run_bootstrap(
     remote: Option<&str>,
     ssh_key: Option<&str>,
-) -> Result<(TlsOptions, String)> {
+) -> Result<(TlsOptions, String, String)> {
+    let gateway_name = resolve_bootstrap_name();
     let location = if remote.is_some() { "remote" } else { "local" };
 
-    let mut options = navigator_bootstrap::DeployOptions::new(DEFAULT_GATEWAY_NAME);
+    eprintln!();
+    eprintln!(
+        "{} No gateway found — starting one automatically.",
+        "ℹ".cyan().bold()
+    );
+    eprintln!();
+    eprintln!("  The Gateway provides a secure control plane for OpenShell. It streamlines");
+    eprintln!("  access for humans and agents alike — handles sandbox orchestration, and");
+    eprintln!("  enables secure, concurrent agent workflows.");
+    eprintln!();
+    eprintln!(
+        "  Manage it later with: {} or {}",
+        "openshell gateway status".bold(),
+        "openshell gateway stop".bold(),
+    );
+    eprintln!();
+
+    let mut options = navigator_bootstrap::DeployOptions::new(&gateway_name);
     if let Some(dest) = remote {
         let mut remote_opts = navigator_bootstrap::RemoteOptions::new(dest);
         if let Some(key) = ssh_key {
@@ -151,23 +160,59 @@ pub async fn run_bootstrap(
         options = options.with_registry_token(token);
     }
 
-    let handle = deploy_gateway_with_panel(options, DEFAULT_GATEWAY_NAME, location).await?;
+    let handle = deploy_gateway_with_panel(options, &gateway_name, location).await?;
     let server = handle.gateway_endpoint().to_string();
 
-    print_deploy_summary(DEFAULT_GATEWAY_NAME, &handle);
+    print_deploy_summary(&gateway_name, &handle);
 
     // Auto-activate the bootstrapped gateway.
-    if let Err(err) = navigator_bootstrap::save_active_gateway(DEFAULT_GATEWAY_NAME) {
+    if let Err(err) = navigator_bootstrap::save_active_gateway(&gateway_name) {
         tracing::debug!("failed to set active gateway after bootstrap: {err}");
     }
 
     // Build fresh TLS options that resolve the newly-written mTLS certs from
     // the default XDG path for this gateway, using the gateway name directly.
     let tls = TlsOptions::default()
-        .with_gateway_name(DEFAULT_GATEWAY_NAME)
+        .with_gateway_name(&gateway_name)
         .with_default_paths(&server);
 
-    Ok((tls, server))
+    // Wait for the gateway gRPC endpoint to accept connections before
+    // handing back to the caller. The Docker health check may pass before
+    // the gRPC listener is fully ready, so retry with backoff.
+    wait_for_grpc_ready(&server, &tls).await?;
+
+    Ok((tls, server, gateway_name))
+}
+
+/// Retry connecting to the gateway gRPC endpoint until it succeeds or a
+/// timeout is reached. Uses exponential backoff starting at 500 ms, doubling
+/// up to 4 s, with a total deadline of 30 s.
+async fn wait_for_grpc_ready(server: &str, tls: &TlsOptions) -> Result<()> {
+    const MAX_WAIT: Duration = Duration::from_secs(30);
+    const INITIAL_BACKOFF: Duration = Duration::from_millis(500);
+
+    let start = std::time::Instant::now();
+    let mut backoff = INITIAL_BACKOFF;
+    let mut last_err = None;
+
+    while start.elapsed() < MAX_WAIT {
+        match grpc_client(server, tls).await {
+            Ok(_client) => return Ok(()),
+            Err(err) => {
+                tracing::debug!(
+                    elapsed = ?start.elapsed(),
+                    "gateway not yet accepting connections: {err:#}"
+                );
+                last_err = Some(err);
+            }
+        }
+        tokio::time::sleep(backoff).await;
+        backoff = (backoff * 2).min(Duration::from_secs(4));
+    }
+
+    Err(last_err
+        .unwrap_or_else(|| miette::miette!("timed out waiting for gateway"))
+        .wrap_err("gateway deployed but not accepting connections after 30 s"))
 }
 
 #[cfg(test)]