refactor(docker): rename server image to gateway (#246)

drew · web-flow · commit d0910723d597 · 2026-03-11T16:01:26.000-07:00
* refactor(docker): rename server image to gateway

Rename Dockerfile.server to Dockerfile.gateway and update all image
references from openshell/server to openshell/gateway across Helm
charts, Kubernetes manifests, mise tasks, build/deploy scripts, CI
workflows, and documentation.

The underlying Rust binary (navigator-server) is unchanged -- this
rename only affects the Docker image name and Dockerfile.

* fix: catch remaining server-&gt;gateway references in docs and comments
diff --git a/.agents/skills/debug-navigator-cluster/SKILL.md b/.agents/skills/debug-navigator-cluster/SKILL.md
@@ -230,7 +230,7 @@ docker save <image-ref> | docker exec -i openshell-cluster-<name> ctr -a /run/k3
 docker exec openshell-cluster-<name> cat /etc/rancher/k3s/registries.yaml
 
 # Test pulling an image manually from inside the cluster
-docker exec openshell-cluster-<name> sh -lc 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml crictl pull ghcr.io/nvidia/openshell/server:latest'
+docker exec openshell-cluster-<name> sh -lc 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml crictl pull ghcr.io/nvidia/openshell/gateway:latest'
 ```
 
 If `registries.yaml` is missing or has wrong values, verify env wiring (`OPENSHELL_REGISTRY_HOST`, `OPENSHELL_REGISTRY_INSECURE`, username/password for authenticated registries).
diff --git a/.claude/agent-memory/arch-doc-writer/MEMORY.md b/.claude/agent-memory/arch-doc-writer/MEMORY.md
@@ -59,16 +59,16 @@
 - Proto files also include: `proto/inference.proto` (navigator.inference.v1)
 
 ## Container/Build Details
-- Four runtime images: sandbox (5 stages), server (2 stages), cluster (k3s base), pki-job (Alpine)
+- Four runtime images: sandbox (5 stages), gateway (2 stages), cluster (k3s base), pki-job (Alpine)
 - Two build-only images: python-wheels (Linux multi-arch), python-wheels-macos (osxcross cross-compile)
 - CI image: Dockerfile.ci (Ubuntu 24.04, pre-installs docker/buildx/aws/kubectl/helm/mise/uv/sccache/socat)
-- Cross-compilation: `deploy/docker/cross-build.sh` shared by sandbox + server Dockerfiles
+- Cross-compilation: `deploy/docker/cross-build.sh` shared by sandbox + gateway Dockerfiles
 - Sandbox image has coding-agents stage: Claude CLI (native installer), OpenCode, Codex (npm)
 - Helm chart deploys a StatefulSet (NOT Deployment), PVC 1Gi at /var/navigator
 - Cluster image does NOT bundle image tarballs -- components pulled at runtime from distribution registry
 - PKI job generates CA + server cert + client cert for mTLS (RSA 2048, 10yr, Helm pre-install hook)
 - Build tasks in `tasks/*.toml`; scripts in `tasks/scripts/`
-- `cluster-deploy-fast.sh` supports both auto mode (git diff) and explicit targets (server/sandbox/pki-job/chart/all)
+- `cluster-deploy-fast.sh` supports both auto mode (git diff) and explicit targets (gateway/sandbox/chart/all)
 - `cluster-bootstrap.sh` ensures local Docker registry on port 5000, pushes all components, then deploys
 - Default values.yaml: repository is CloudFront-backed CDN, tag: "latest", pullPolicy: Always
 - Envoy Gateway version: v1.5.8 (set in mise.toml)
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       component:
-        description: "Component to build (server, sandbox, cluster)"
+        description: "Component to build (gateway, sandbox, cluster)"
         required: true
         type: string
       timeout-minutes:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -9,11 +9,11 @@ permissions:
   packages: write
 
 jobs:
-  build-server:
+  build-gateway:
     if: contains(github.event.pull_request.labels.*.name, 'e2e')
     uses: ./.github/workflows/docker-build.yml
     with:
-      component: server
+      component: gateway
 
   build-sandbox:
     if: contains(github.event.pull_request.labels.*.name, 'e2e')
@@ -28,7 +28,7 @@ jobs:
       component: cluster
 
   e2e:
-    needs: [build-server, build-sandbox, build-cluster]
+    needs: [build-gateway, build-sandbox, build-cluster]
     uses: ./.github/workflows/e2e-test.yml
     with:
       image-tag: ${{ github.sha }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -14,10 +14,10 @@ defaults:
     shell: bash
 
 jobs:
-  build-server:
+  build-gateway:
     uses: ./.github/workflows/docker-build.yml
     with:
-      component: server
+      component: gateway
 
   build-sandbox:
     uses: ./.github/workflows/docker-build.yml
@@ -31,7 +31,7 @@ jobs:
 
   tag-ghcr-latest:
     name: Tag GHCR Images as Latest
-    needs: [build-server, build-sandbox, build-cluster]
+    needs: [build-gateway, build-sandbox, build-cluster]
     runs-on: build-amd64
     timeout-minutes: 10
     steps:
@@ -42,7 +42,7 @@ jobs:
         run: |
           set -euo pipefail
           REGISTRY="ghcr.io/nvidia/openshell"
-          for component in server sandbox cluster; do
+          for component in gateway sandbox cluster; do
             echo "Tagging ${REGISTRY}/${component}:${{ github.sha }} as latest..."
             docker buildx imagetools create \
               --prefer-index=false \
@@ -52,7 +52,7 @@ jobs:
 
   build-python-wheels:
     name: Stage Python Wheels
-    needs: [build-server, build-sandbox, build-cluster]
+    needs: [build-gateway, build-sandbox, build-cluster]
     runs-on: build-amd64
     timeout-minutes: 120
     outputs:
diff --git a/architecture/build-containers.md b/architecture/build-containers.md
@@ -9,7 +9,7 @@ deploy/
   docker/
     .dockerignore
     Dockerfile.sandbox             # Sandbox container (runs agent code in isolation)
-    Dockerfile.server              # Gateway container (orchestration / control plane)
+    Dockerfile.gateway             # Gateway container (orchestration / control plane)
     Dockerfile.cluster             # Airgapped k3s cluster with Helm charts and manifests
     Dockerfile.ci                  # CI runner image with pre-installed toolchain
     Dockerfile.python-wheels       # Multi-arch Linux wheel builder for the Python CLI package
@@ -74,11 +74,11 @@ The sandbox container runs inside each sandbox pod. It contains the sandbox supe
 - Policy files are mounted at `/var/navigator/policy.rego` (rules) and `/var/navigator/data.yaml` (data) when running in file-based policy mode.
 - The Python SDK is copied directly into the venv's site-packages at `/app/.venv/lib/python3.12/site-packages/openshell/`.
 
-### Gateway Image (`openshell/server`)
+### Gateway Image (`openshell/gateway`)
 
 The gateway container runs the control plane / orchestration service.
 
-**Build stages** (2 stages in `deploy/docker/Dockerfile.server`):
+**Build stages** (2 stages in `deploy/docker/Dockerfile.gateway`):
 
 1. **builder** -- Two-pass Rust compilation with dependency caching:
    - First pass copies only `Cargo.toml`/`Cargo.lock` files and creates dummy source files (`fn main() {}` / empty `lib.rs`) to build dependencies in isolation. This layer is cached unless dependency manifests change.
@@ -195,7 +195,7 @@ Modifies the HelmChart manifest at `/var/lib/rancher/k3s/server/manifests/naviga
 | Variable | Effect |
 |---|---|
 | `IMAGE_REPO_BASE` | Rewrites `repository:` and `sandboxImage:` to use the specified base path |
-| `PUSH_IMAGE_REFS` | Parses comma-separated image refs and rewrites exact server and sandbox references (matching on path component `/server:`, `/sandbox:`) |
+| `PUSH_IMAGE_REFS` | Parses comma-separated image refs and rewrites exact gateway and sandbox references (matching on path component `/gateway:`, `/sandbox:`) |
 | `IMAGE_TAG` | Replaces `:latest` tags with the specified tag (handles both quoted and unquoted `tag: latest` formats) |
 | `IMAGE_PULL_POLICY` | Replaces `pullPolicy: Always` with the specified policy (e.g., `IfNotPresent`) |
 | `SSH_GATEWAY_HOST` / `SSH_GATEWAY_PORT` | Replaces `__SSH_GATEWAY_HOST__` and `__SSH_GATEWAY_PORT__` placeholders; clears to defaults if unset |
@@ -228,7 +228,7 @@ The Helm chart at `deploy/helm/navigator/` deploys the gateway to Kubernetes as
 replicaCount: 1
 
 image:
-  repository: ghcr.io/nvidia/openshell/server
+  repository: ghcr.io/nvidia/openshell/gateway
   pullPolicy: Always
   tag: "latest"
 
@@ -306,7 +306,7 @@ All builds use mise tasks defined in `tasks/*.toml` (included from `mise.toml`).
 |---|---|
 | `mise run docker:build` | Build all runtime images (sandbox, gateway, cluster) |
 | `mise run docker:build:sandbox` | Build sandbox image |
-| `mise run docker:build:server` | Build gateway image |
+| `mise run docker:build:gateway` | Build gateway image |
 | `mise run docker:build:cluster` | Build k3s cluster image (packages Helm charts first) |
 | `mise run docker:build:ci` | Build CI runner image |
 | `mise run docker:build:cluster:multiarch` | Build multi-arch cluster image and push to a registry |
@@ -336,11 +336,11 @@ All builds use mise tasks defined in `tasks/*.toml` (included from `mise.toml`).
 | `Cargo.toml`, `Cargo.lock`, `proto/*`, `deploy/docker/cross-build.sh` | Gateway + sandbox rebuild |
 | `crates/navigator-core/*`, `crates/navigator-providers/*` | Gateway + sandbox rebuild |
 | `crates/navigator-router/*` | Gateway rebuild |
-| `crates/navigator-server/*`, `deploy/docker/Dockerfile.server` | Gateway rebuild |
+| `crates/navigator-server/*`, `deploy/docker/Dockerfile.gateway` | Gateway rebuild |
 | `crates/navigator-sandbox/*`, `deploy/docker/sandbox/*`, `python/*`, `pyproject.toml`, `uv.lock`, `crates/navigator-sandbox/data/sandbox-policy.rego` | Sandbox rebuild |
 | `deploy/helm/navigator/*` | Helm upgrade |
 
-**Explicit target mode** (arguments: `server`, `sandbox`, `chart`, `all`): Rebuilds only the specified components.
+**Explicit target mode** (arguments: `gateway`, `sandbox`, `chart`, `all`): Rebuilds only the specified components.
 
 Auto mode persists the last deployed fingerprints in `.cache/cluster-deploy-fast.state` (or `$DEPLOY_FAST_STATE_FILE`). Re-running `mise run cluster` without new local changes prints `No new local changes since last deploy.` and skips rebuild/upgrade work.
 
@@ -461,7 +461,7 @@ When the cluster container starts, k3s automatically deploys these HelmChart CRs
 ## Implementation References
 
 - `deploy/docker/Dockerfile.sandbox` -- Sandbox image (5-stage multi-arch build)
-- `deploy/docker/Dockerfile.server` -- Gateway image (2-stage with dependency caching)
+- `deploy/docker/Dockerfile.gateway` -- Gateway image (2-stage with dependency caching)
 - `deploy/docker/Dockerfile.cluster` -- Cluster image (k3s base + charts + manifests)
 - `deploy/docker/Dockerfile.ci` -- CI runner image (Ubuntu + full toolchain)
 - `deploy/docker/Dockerfile.python-wheels` -- Linux wheel builder
diff --git a/architecture/gateway-single-node.md b/architecture/gateway-single-node.md
@@ -289,7 +289,7 @@ Copies bundled manifests from `/opt/navigator/manifests/` to `/var/lib/rancher/k
 When environment variables are set, the entrypoint modifies the HelmChart manifest at `/var/lib/rancher/k3s/server/manifests/navigator-helmchart.yaml`:
 
 - `IMAGE_REPO_BASE`: Rewrites `repository:`, `sandboxImage:`, and `jobImage:` in the HelmChart.
-- `PUSH_IMAGE_REFS`: In push mode, parses comma-separated image refs and rewrites the exact gateway, sandbox, and pki-job image references (matching on path component `/server:`, `/sandbox:`, `/pki-job:`).
+- `PUSH_IMAGE_REFS`: In push mode, parses comma-separated image refs and rewrites the exact gateway, sandbox, and pki-job image references (matching on path component `/gateway:`, `/sandbox:`, `/pki-job:`).
 - `IMAGE_TAG`: Replaces `:latest` tags with the specified tag on gateway, sandbox, and pki-job images. Handles both quoted and unquoted `tag: latest` formats.
 - `IMAGE_PULL_POLICY`: Replaces `pullPolicy: Always` with the specified policy (e.g., `IfNotPresent`).
 - `SSH_GATEWAY_HOST` / `SSH_GATEWAY_PORT`: Replaces `__SSH_GATEWAY_HOST__` and `__SSH_GATEWAY_PORT__` placeholders.
diff --git a/deploy/docker/Dockerfile.cluster b/deploy/docker/Dockerfile.cluster
@@ -12,7 +12,7 @@
 # - HelmChart CR for auto-deploying OpenShell
 # - Custom entrypoint for DNS configuration in Docker environments
 #
-# Component images (openshell/server, openshell/sandbox) are
+# Component images (openshell/gateway, openshell/sandbox) are
 # pulled at runtime from the distribution registry rather than bundled as tarballs.
 # Registry credentials are generated by the entrypoint script at container start.
 #
diff --git a/deploy/docker/Dockerfile.gateway b/deploy/docker/Dockerfile.gateway
@@ -3,7 +3,7 @@
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# OpenShell Server Docker image
+# OpenShell Gateway Docker image
 # Multi-stage build with cross-compilation support for multi-arch
 
 # Stage 1: Rust builder (runs on build platform, cross-compiles for target)
@@ -52,9 +52,9 @@ COPY proto/ proto/
 # sccache uses memcached in CI (SCCACHE_MEMCACHED_ENDPOINT) or the local
 # disk cache mount for local dev builds. The cargo-target mount gives cargo
 # a persistent target/ dir for true incremental rebuilds on source changes.
-RUN --mount=type=cache,id=cargo-registry-server-${TARGETARCH},sharing=locked,target=/usr/local/cargo/registry \
-    --mount=type=cache,id=cargo-target-server-${TARGETARCH}-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
-    --mount=type=cache,id=sccache-server-${TARGETARCH},sharing=locked,target=/tmp/sccache \
+RUN --mount=type=cache,id=cargo-registry-gateway-${TARGETARCH},sharing=locked,target=/usr/local/cargo/registry \
+    --mount=type=cache,id=cargo-target-gateway-${TARGETARCH}-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
+    --mount=type=cache,id=sccache-gateway-${TARGETARCH},sharing=locked,target=/tmp/sccache \
     . cross-build.sh && cargo_cross_build --release -p navigator-server 2>/dev/null || true
 
 # Copy actual source code
@@ -68,9 +68,9 @@ RUN touch crates/navigator-server/src/main.rs \
     proto/*.proto
 
 # Build the actual application
-RUN --mount=type=cache,id=cargo-registry-server-${TARGETARCH},sharing=locked,target=/usr/local/cargo/registry \
-    --mount=type=cache,id=cargo-target-server-${TARGETARCH}-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
-    --mount=type=cache,id=sccache-server-${TARGETARCH},sharing=locked,target=/tmp/sccache \
+RUN --mount=type=cache,id=cargo-registry-gateway-${TARGETARCH},sharing=locked,target=/usr/local/cargo/registry \
+    --mount=type=cache,id=cargo-target-gateway-${TARGETARCH}-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
+    --mount=type=cache,id=sccache-gateway-${TARGETARCH},sharing=locked,target=/tmp/sccache \
     . cross-build.sh && \
     if [ -n "${OPENSHELL_CARGO_VERSION:-}" ]; then \
       sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${OPENSHELL_CARGO_VERSION}"'"/}' Cargo.toml; \
diff --git a/deploy/docker/cluster-entrypoint.sh b/deploy/docker/cluster-entrypoint.sh
@@ -322,7 +322,7 @@ HELMCHART="/var/lib/rancher/k3s/server/manifests/openshell-helmchart.yaml"
 if [ -n "${IMAGE_REPO_BASE:-}" ] && [ -f "$HELMCHART" ]; then
     target_tag="${IMAGE_TAG:-latest}"
     echo "Setting image repository base: ${IMAGE_REPO_BASE}"
-    sed -i -E "s|repository:[[:space:]]*[^[:space:]]+|repository: ${IMAGE_REPO_BASE}/server|" "$HELMCHART"
+    sed -i -E "s|repository:[[:space:]]*[^[:space:]]+|repository: ${IMAGE_REPO_BASE}/gateway|" "$HELMCHART"
     sed -i -E "s|sandboxImage:[[:space:]]*[^[:space:]]+|sandboxImage: ${IMAGE_REPO_BASE}/sandbox:${target_tag}|" "$HELMCHART"
 fi
 
@@ -335,7 +335,7 @@ if [ -n "${PUSH_IMAGE_REFS:-}" ] && [ -f "$HELMCHART" ]; then
     IFS=','
     for ref in $PUSH_IMAGE_REFS; do
         case "$ref" in
-            */server:*) server_image="$ref" ;;
+            */gateway:*) server_image="$ref" ;;
             */sandbox:*) sandbox_image="$ref" ;;
         esac
     done
diff --git a/deploy/helm/openshell/values.yaml b/deploy/helm/openshell/values.yaml
@@ -6,7 +6,7 @@
 replicaCount: 1
 
 image:
-  repository: ghcr.io/nvidia/openshell/server
+  repository: ghcr.io/nvidia/openshell/gateway
   pullPolicy: Always
   tag: "latest"
 
diff --git a/deploy/kube/manifests/openshell-helmchart.yaml b/deploy/kube/manifests/openshell-helmchart.yaml
@@ -25,7 +25,7 @@ spec:
   valuesContent: |-
     chartChecksum: __CHART_CHECKSUM__
     image:
-      repository: ghcr.io/nvidia/openshell/server
+      repository: ghcr.io/nvidia/openshell/gateway
       tag: latest
       pullPolicy: Always
     server:
diff --git a/docs/reference/support-matrix.md b/docs/reference/support-matrix.md
@@ -52,7 +52,7 @@ OpenShell uses several container images that are pulled automatically during gat
 | Image | Registry | Reference | Pulled When |
 |---|---|---|---|
 | Cluster | ghcr.io | `ghcr.io/nvidia/openshell/cluster:latest` | `openshell gateway start` |
-| Server | ghcr.io | `ghcr.io/nvidia/openshell/server:latest` | Cluster startup (via Helm chart) |
+| Gateway | ghcr.io | `ghcr.io/nvidia/openshell/gateway:latest` | Cluster startup (via Helm chart) |
 | Sandbox | ghcr.io | `ghcr.io/nvidia/openshell/sandbox:latest` | First sandbox creation (via Helm chart) |
 | Community sandboxes | GHCR | `ghcr.io/nvidia/openshell-community/sandboxes/{name}:latest` | `openshell sandbox create --from <name>` |
 
diff --git a/scripts/remote-deploy.sh b/scripts/remote-deploy.sh
@@ -249,11 +249,11 @@ echo "==> Building Docker images (tag=${IMAGE_TAG})..."
 export OPENSHELL_CARGO_VERSION="${CARGO_VERSION}"
 export IMAGE_TAG
 mise exec -- tasks/scripts/docker-build-cluster.sh
-mise exec -- tasks/scripts/docker-build-component.sh server
+mise exec -- tasks/scripts/docker-build-component.sh gateway
 mise exec -- tasks/scripts/docker-build-component.sh sandbox
 
 export OPENSHELL_CLUSTER_IMAGE="openshell/cluster:${IMAGE_TAG}"
-export OPENSHELL_PUSH_IMAGES="openshell/server:${IMAGE_TAG},openshell/sandbox:${IMAGE_TAG}"
+export OPENSHELL_PUSH_IMAGES="openshell/gateway:${IMAGE_TAG},openshell/sandbox:${IMAGE_TAG}"
 
 start_args=(
   gateway
diff --git a/tasks/cluster.toml b/tasks/cluster.toml
@@ -10,7 +10,7 @@ run = "tasks/scripts/cluster.sh"
 ["cluster:build:full"]
 description = "Build and deploy local k3s cluster with OpenShell"
 depends = [
-  "docker:build:server",
+  "docker:build:gateway",
   "docker:build:sandbox",
 ]
 run = "tasks/scripts/cluster-bootstrap.sh build"
@@ -31,9 +31,9 @@ description = "Pull-mode deploy using local registry pushes"
 run = "tasks/scripts/cluster-deploy-fast.sh all"
 hide = true
 
-["cluster:push:server"]
-description = "Tag and push server image to pull registry"
-run = "tasks/scripts/cluster-push-component.sh server"
+["cluster:push:gateway"]
+description = "Tag and push gateway image to pull registry"
+run = "tasks/scripts/cluster-push-component.sh gateway"
 hide = true
 
 ["cluster:push:sandbox"]
diff --git a/tasks/docker.toml b/tasks/docker.toml
@@ -7,7 +7,7 @@
 description = "Build all Docker images"
 depends = [
   "docker:build:sandbox",
-  "docker:build:server",
+  "docker:build:gateway",
   "docker:build:cluster",
 ]
 hide = true
@@ -28,9 +28,9 @@ depends = ["docker:build:sandbox"]
 run = "tasks/scripts/docker-build-component.sh sandbox nvidia --build-arg BASE_IMAGE=openshell/sandbox:${IMAGE_TAG:-dev}"
 hide = true
 
-["docker:build:server"]
-description = "Build the server Docker image"
-run = "tasks/scripts/docker-build-component.sh server"
+["docker:build:gateway"]
+description = "Build the gateway Docker image"
+run = "tasks/scripts/docker-build-component.sh gateway"
 hide = true
 
 ["docker:build:cluster"]
diff --git a/tasks/scripts/cluster-bootstrap.sh b/tasks/scripts/cluster-bootstrap.sh
@@ -223,7 +223,7 @@ fi
 if [ "${SKIP_IMAGE_PUSH:-}" = "1" ]; then
   echo "Skipping image push (SKIP_IMAGE_PUSH=1; images already in registry)."
 elif [ "${MODE}" = "build" ] || [ "${MODE}" = "fast" ]; then
-  for component in server sandbox; do
+  for component in gateway sandbox; do
     tasks/scripts/cluster-push-component.sh "${component}"
   done
 fi
diff --git a/tasks/scripts/cluster-deploy-fast.sh b/tasks/scripts/cluster-deploy-fast.sh
diff --git a/tasks/scripts/cluster-push-component.sh b/tasks/scripts/cluster-push-component.sh
diff --git a/tasks/scripts/docker-build-component.sh b/tasks/scripts/docker-build-component.sh
diff --git a/tasks/scripts/docker-publish-multiarch.sh b/tasks/scripts/docker-publish-multiarch.sh

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`# - HelmChart CR for auto-deploying OpenShell`
`13`	`13`	`# - Custom entrypoint for DNS configuration in Docker environments`
`14`	`14`	`#`
`15`		`-# Component images (openshell/server, openshell/sandbox) are`
	`15`	`+# Component images (openshell/gateway, openshell/sandbox) are`
`16`	`16`	`# pulled at runtime from the distribution registry rather than bundled as tarballs.`
`17`	`17`	`# Registry credentials are generated by the entrypoint script at container start.`
`18`	`18`	`#`