Add sandbox metadata req

[robindiddams]

Summary by CodeRabbit

• New Features
  • Retrieve sandbox metadata via an authenticated call, with an option to generate and return certificate data.
  • Metadata responses now include a certificate bundle and optional extra host entries to improve provisioning and connectivity.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new GetSandboxMetadata gRPC RPC and messages to GravityControl, adds cert fields to deployment messages, and implements GravityClient.GetSandboxMetadata which builds a request, attaches Bearer auth metadata, and calls the new RPC.

Changes

Cohort / File(s)	Summary
Proto service & messages gravity/proto/gravity.proto	Added rpc GetSandboxMetadata(SandboxMetadataRequest) returns (SandboxMetadataResponse);. Added messages SandboxMetadataRequest (sandbox_id, org_id, generate_certificate) and SandboxMetadataResponse (success, error, extra_hosts, cert_bundle). Added string cert = 12; to ExistingDeployment and string cert_bundle = 8; to DeploymentMetadataResponse.
Go client implementation gravity/grpc_client.go	Added func (g *GravityClient) GetSandboxMetadata(ctx context.Context, sandboxID, orgID string, generateCertificate bool) (*pb.SandboxMetadataResponse, error) which validates a control client exists, constructs the request, attaches Bearer token metadata, and calls GetSandboxMetadata on the control client.

Sequence Diagram(s)

(omitted — changes do not introduce a multi-component sequential flow requiring visualization)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch new-grpc

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e6cb99 and 61a3d61.

⛔ Files ignored due to path filters (1)

• gravity/proto/gravity.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (1)

• gravity/proto/gravity.proto

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (4)

gravity/proto/gravity.proto (4)

15-17: LGTM!

The new GetSandboxMetadata RPC follows the established pattern of GetDeploymentMetadata and uses consistent naming conventions for request/response messages.

---

231-231: LGTM!

The new cert field (field 12) maintains proper sequential numbering. The comment clarifies its purpose as storing just the issued PEM certificate, distinct from the full deployment_cert which contains cert, key, and CA.

---

567-567: Clarify relationship between cert_bundle and deployment_cert.

DeploymentMetadataResponse now has two fields providing certificate material:

• deployment_cert (field 4): Structured DeploymentCert message with separate cert, key, ca, dnsname fields
• cert_bundle (field 8): Single concatenated PEM string

Is cert_bundle intended to complement or eventually replace deployment_cert? If both are populated, clients may be uncertain which to use. Consider adding a comment clarifying when each field is used, or deprecating one if they serve the same purpose.

---

576-590: LGTM!

The new SandboxMetadataRequest and SandboxMetadataResponse messages follow established patterns:

• Sequential field numbering starting at 1
• Consistent success/error response pattern
• generate_certificate flag provides flexibility for conditional cert generation
• Field names align with corresponding fields in DeploymentMetadataResponse

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @gravity/proto/gravity.proto:
- Around line 567-568: Fix the truncated comment on the cert field in the
ExistingDeployment message by completing the comment to say "(cert, ca, key)" to
match SandboxMetadataResponse.cert; also review and align the comment on
ExistingDeployment.cert (and any other cert fields) so all cert bundle comments
consistently reflect whether they include key or not (e.g., change the
ExistingDeployment.cert comment from "(cert, ca)" to "(cert, ca, key)" if the
bundle includes the key).

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c5cfb6 and d9a5e2e.

⛔ Files ignored due to path filters (2)

• gravity/proto/gravity.pb.go is excluded by !**/*.pb.go
• gravity/proto/gravity_grpc.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (2)

• gravity/grpc_client.go
• gravity/proto/gravity.proto

🧰 Additional context used

🧬 Code graph analysis (1)

gravity/grpc_client.go (1)

gravity/proto/gravity.pb.go (6)

• SandboxMetadataResponse (4187-4195)
• SandboxMetadataResponse (4208-4208)
• SandboxMetadataResponse (4223-4225)
• SandboxMetadataRequest (4126-4133)
• SandboxMetadataRequest (4146-4146)
• SandboxMetadataRequest (4161-4163)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: Analyze (go)

🔇 Additional comments (4)

gravity/grpc_client.go (1)

2337-2355: LGTM! Implementation follows established patterns.

The new GetSandboxMetadata method correctly mirrors the existing GetDeploymentMetadata implementation pattern:

• Validates control client availability before use
• Properly constructs the request with all required fields
• Attaches authorization metadata via Bearer token
• Delegates context/timeout management to the caller

gravity/proto/gravity.proto (3)

15-17: LGTM! RPC definition is well-structured.

The new GetSandboxMetadata RPC follows the established pattern of the existing GetDeploymentMetadata RPC with appropriate request/response message types.

---

231-231: LGTM! Field addition maintains wire compatibility.

Field number 12 is appropriate and doesn't conflict with existing fields. The cert field extends ExistingDeployment to support certificate propagation during state synchronization.

---

576-589: LGTM! Message definitions are well-structured.

The SandboxMetadataRequest and SandboxMetadataResponse messages are properly defined with appropriate field types and numbers. The response structure follows the same pattern as DeploymentMetadataResponse with success/error fields and domain-specific data.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

gravity/proto/gravity.proto (1)

16-17: Consider improving the RPC comment for clarity.

The comment // get sandbox metadata (ie a cert) is informal and may undersell what this RPC provides. Based on the response message, it returns extra_hosts in addition to the certificate. Consider a more descriptive comment like:

-  // get sandbox metadata (ie a cert)
+  // get sandbox metadata for provisioning (extra hosts, optional certificate)
   rpc GetSandboxMetadata(SandboxMetadataRequest) returns (SandboxMetadataResponse);

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d9a5e2e and 4a3a6e2.

⛔ Files ignored due to path filters (1)

• gravity/proto/gravity.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (1)

• gravity/proto/gravity.proto

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (3)

gravity/proto/gravity.proto (3)

231-231: Clarify the distinction between deployment_cert and cert fields.

ExistingDeployment now has two certificate-related fields:

• deployment_cert (field 7): Contains cert, key, ca, and dnsname
• cert (field 12): PEM certificate bundle (cert only, per comment)

Consider adding a comment explaining when each should be used, or whether one is intended to replace the other over time. This will help maintainers understand the intended usage pattern.

---

576-582: LGTM!

The SandboxMetadataRequest message is well-structured with appropriate field types and numbering. The generate_certificate boolean flag provides good flexibility for callers to opt-in to certificate generation.

---

584-590: LGTM!

The SandboxMetadataResponse follows the established success/error pattern used by other response messages in this proto file. The structure appropriately returns sandbox-specific metadata without unnecessary fields.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @gravity/proto/gravity.proto:
- Line 231: The comment for the protobuf field cert is misleading: replace "PEM
certificate bundle (just cert, ca + key not required)" with a clearer
description such as "PEM certificate (leaf certificate only; CA and private key
not required)" so the meaning of the string cert = 12; field is unambiguous;
also scan for other occurrences of "bundle" in related fields and make analogous
clarifying edits to keep comments consistent.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a3a6e2 and 2e6cb99.

⛔ Files ignored due to path filters (1)

• gravity/proto/gravity.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (1)

• gravity/proto/gravity.proto

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (3)

gravity/proto/gravity.proto (3)

15-17: LGTM!

The new GetSandboxMetadata RPC follows the existing patterns in the service and properly references the request/response message types defined below.

---

567-567: LGTM!

The cert_bundle field follows proper proto3 field numbering and the comment clearly documents the expected contents (cert, ca, key).

---

576-590: LGTM!

The new SandboxMetadataRequest and SandboxMetadataResponse messages are well-structured and follow the established patterns in this proto file (e.g., DeploymentMetadataRequest/Response). Field numbering is sequential and the success/error pattern is consistent with other response types.