feat: build CLI during pull request

.github/workflows/branch-e2e.yml

@@ -48,6 +48,18 @@ jobs:
       platform: linux/arm64
       publish-manifest: false
 
+  build-cli:
+    needs: [pr_metadata]
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: read
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      component: cli
+      platform: linux/amd64
+    secrets: inherit
+
   e2e:
     needs: [pr_metadata, build-gateway, build-supervisor]
     if: needs.pr_metadata.outputs.should_run == 'true'

.github/workflows/docker-build.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       component:
-        description: "Component to build (gateway, supervisor)"
+        description: "Component to build (gateway, supervisor, cli)"
         required: true
         type: string
       timeout-minutes:
@@ -71,6 +71,8 @@ jobs:
       binary_name: ${{ steps.resolve.outputs.binary_name }}
       artifact_prefix: ${{ steps.resolve.outputs.artifact_prefix }}
       image_tag_base: ${{ steps.resolve.outputs.image_tag_base }}
+      features: ${{ steps.resolve.outputs.features }}
+      has_image: ${{ steps.resolve.outputs.has_image }}
     steps:
       - name: Resolve component and platform matrix
         id: resolve
@@ -82,10 +84,20 @@ jobs:
             gateway)
               binary_component=gateway
               binary_name=openshell-gateway
+              features="openshell-core/dev-settings"
+              has_image=true
               ;;
             supervisor)
               binary_component=sandbox
               binary_name=openshell-sandbox
+              features="openshell-core/dev-settings"
+              has_image=true
+              ;;
+            cli)
+              binary_component=cli
+              binary_name=openshell
+              features="bundled-z3"
+              has_image=false
               ;;
             *)
               echo "unsupported component: $component" >&2
@@ -144,6 +156,8 @@ jobs:
             echo "binary_name=$binary_name"
             echo "artifact_prefix=rust-binary-${component}-${binary_component}"
             echo "image_tag_base=$image_tag_base"
+            echo "features=$features"
+            echo "has_image=$has_image"
           } >> "$GITHUB_OUTPUT"
 
   rust-binary:
@@ -162,13 +176,14 @@ jobs:
       cargo-version: ${{ inputs['cargo-version'] }}
       image-tag: ${{ needs.resolve.outputs.image_tag_base }}
       checkout-ref: ${{ inputs['checkout-ref'] }}
-      features: openshell-core/dev-settings
+      features: ${{ needs.resolve.outputs.features }}
       artifact-name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }}
     secrets: inherit
 
   build:
     name: Build ${{ inputs.component }} (${{ matrix.arch }})
     needs: [resolve, rust-binary]
+    if: needs.resolve.outputs.has_image == 'true'
     runs-on: ${{ matrix.runner }}
     timeout-minutes: ${{ inputs['timeout-minutes'] }}
     strategy:
@@ -262,7 +277,7 @@ jobs:
   merge:
     name: Merge ${{ inputs.component }} manifest
     needs: [resolve, build]
-    if: ${{ inputs.push && inputs['publish-manifest'] }}
+    if: ${{ inputs.push && inputs['publish-manifest'] && needs.resolve.outputs.has_image == 'true' }}
     runs-on: linux-amd64-cpu8
     timeout-minutes: 10
     container:

.github/workflows/rust-native-build.yml

@@ -1,18 +1,18 @@
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-name: Rust Image Binary Build (openshell-gateway / openshell-sandbox)
+name: Rust Image Binary Build (openshell-gateway / openshell-sandbox / openshell-cli)
 
 # Build Rust binaries per Linux architecture before the Docker image build
 # consumes them as prebuilt artifacts. Gateway images use GNU-linked binaries
-# for the NVIDIA distroless C/C++ runtime; supervisor images use musl/static
+# for the NVIDIA distroless C/C++ runtime; supervisor and cli images use musl/static
 # binaries so the final image can remain scratch.
 
 on:
   workflow_call:
     inputs:
       component:
-        description: "Binary component to build (gateway or sandbox)"
+        description: "Binary component to build (gateway, sandbox, or cli)"
         required: true
         type: string
       arch:
@@ -114,6 +114,11 @@ jobs:
               binary=openshell-sandbox
               zig_target=
               ;;
+            cli)
+              crate=openshell-cli
+              binary=openshell
+              zig_target=
+              ;;
             *)
               echo "unsupported component: $COMPONENT" >&2
               exit 1
@@ -122,15 +127,15 @@ jobs:
 
           case "$ARCH" in
             amd64)
-              if [[ "$COMPONENT" == "sandbox" ]]; then
+              if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then
                 target=x86_64-unknown-linux-musl
                 zig_target=x86_64-linux-musl
               else
                 target=x86_64-unknown-linux-gnu
               fi
               ;;
             arm64)
-              if [[ "$COMPONENT" == "sandbox" ]]; then
+              if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then
                 target=aarch64-unknown-linux-musl
                 zig_target=aarch64-linux-musl
               else
@@ -202,6 +207,12 @@ jobs:
           echo "CARGO_TARGET_${TARGET_ENV_UPPER}_LINKER=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
           echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV"
 
+          # z3 built with zig c++ uses libc++ symbols (std::__1::*).
+          # Override z3-sys default (stdc++) so Rust links the matching runtime.
+          if [[ "$COMPONENT" == "cli" ]]; then
+            echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
+          fi
+
       - name: Build ${{ steps.target.outputs.binary }} (${{ steps.target.outputs.target }})
         env:
           # Preserve the release-codegen setting used by the old Dockerfile