feat(relay): [SPIKE] route forwarding through ForwardTcp

[pimlock]

Summary

Route SSH and service forwarding through the generic gRPC ForwardTcp byte stream, backed by targetable supervisor relays.

This validates the OS-88 approach of using one dumb TCP forwarding path for both OpenSSH proxying and sandbox-local service forwarding, while removing the old HTTP /connect/ssh tunnel.

Related Issue

OS-88

Changes

• Add ForwardTcp, TcpForwardFrame, and targetable relay protobuf messages for SSH and loopback TCP targets.
• Move OpenSSH ProxyCommand traffic and openshell service forward through ForwardTcp with token validation and connection accounting.
• Remove the HTTP /connect/ssh route and replace HTTP-tunnel session lifecycle code with shared SSH session persistence/reaping.
• Dial TCP service targets from the sandbox network namespace and keep the target scope loopback-only.
• Update OCSF relay logging, architecture docs, sandbox docs, and cluster image push behavior to rebuild before pushing.

Testing

• mise run pre-commit passes
• Live navigator gateway deploy verified with cluster-deploy-fast.sh all
• sandbox exec over the updated SSH path returns os88-exec-ok
• OpenSSH ProxyCommand over ForwardTcp(target.ssh) returns os88-ssh-ok
• openshell service forward to sandbox-local HTTP server returns os88-service-ok
• Relay benchmark run captured locally in architecture/plans/perf-os88-forwardtcp.txt

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1029.docs.buildwithfern.com/openshell

[pimlock]

OS-88 ForwardTcp performance results

Benchmark source: openshell 0.0.37-dev.39+g2646b8c6, ITERS=15, N_STORM=50.

Metric	Result
Exec latency p50 / p95	0.170 s / 0.219 s
Connect latency p50 / p95	0.559 s / 0.778 s
Bulk stdout 50 MiB	461.2 Mbps
Upload 50 MiB tar-over-SSH	393.0 Mbps
Download 50 MiB tar-over-SSH	249.4 Mbps
Small-frame 10,000 lines	0.181 s
10x parallel 1s execs	1.198 s, 0 failures
20x parallel zero-sleep execs	0.302 s, 0 failures
50-relay storm wall time	3.717 s, 0 failures
Rapid churn 50x exec true	8.250 s, 0 failures
Peak non-loopback supervisor TCPs	3 baseline / 3 peak

Comparison note: against the prior gRPC tuned run, exec-oriented metrics were mostly faster, bulk stdout throughput was lower, and connect latency was slower. Since those runs used different clusters, treat latency and throughput deltas as directional rather than exact regressions. The key architectural result holds: a 50-relay storm keeps supervisor-to-gateway non-loopback TCPs flat at baseline.

[github-actions]

Label test:e2e applied, but pull-request/1029 is at {"messa while the PR head is 6c2cafa. A maintainer needs to comment /ok to test 6c2cafaefa69a55efe26eb74d2793b220a63f95e to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

[pimlock]

/ok to test 6c2cafa

[pimlock]

/ok to test 52fba8a