feat(providers): derive discovery from profiles

[johntmyers]

Summary

Adds profile-backed credential discovery for providers v2 so explicit --from-existing flows can discover credentials from provider profile metadata instead of requiring a hard-coded provider plugin. The discovery schema references credential names, keeps env vars sourced from credentials[*].env_vars, and keeps v2 provider attachment explicit.

Related Issue

Closes #1460

Changes

• Adds ProviderProfileDiscovery to the provider profile proto and YAML DTO.
• Adds discovery.credentials to the built-in GitHub, Claude Code, and NVIDIA profiles.
• Makes the built-in GitHub profile read-only by default across REST, GitHub web, and GitHub GraphQL endpoints.
• Implements generic profile-backed discovery that scans referenced credential env vars and stores discovered credentials under the actual env var key.
• Keeps two explicit discovery paths:
  • providers_v2_enabled=false: --from-existing uses the legacy ProviderRegistry discovery path.
  • providers_v2_enabled=true: --from-existing uses provider profile discovery only; if no profile exists for the type, the command fails clearly instead of falling back to v1 discovery.
• Routes provider create/update --from-existing through profile-backed discovery when providers_v2_enabled is true, while keeping legacy registry discovery for v1.
• Disables command-derived provider inference during sandbox creation when providers v2 is enabled, so v2 does not auto-attach providers from commands.
• Updates Providers docs to cover built-in v2 profiles, profile discovery, the v1/v2 --from-existing split, explicit v2 provider attachment, and refresh-token support.
• Adds unit and CLI integration coverage for profile discovery success/failure, legacy/v2 discovery path separation, sandbox create no-inference behavior, GitHub profile policy defaults, and profile discovery import/export behavior.

Testing

• mise run pre-commit passes
  • Ran RUSTC_WRAPPER= mise run pre-commit; it failed on pre-existing ignored architecture/plans/*.md markdown lint errors unrelated to this branch. Fern docs validation, Python checks, Helm lint, license check, and Rust format check completed before the task failed. I stopped the remaining Rust phase after the markdown failure had already made the task fail.
• Unit tests added/updated
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-providers
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-providers github_profile_materializes_policy_metadata
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-server provider_policy_layers_include_known_provider_profiles
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-cli --lib
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-cli --test provider_commands_integration
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-cli --test sandbox_create_lifecycle_integration
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo test -p openshell-cli --test ensure_providers_integration
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo clippy -p openshell-providers -p openshell-cli --all-targets -- -D warnings
  • CARGO_TARGET_DIR=/tmp/openshell-target-1460 RUSTC_WRAPPER= cargo check -p openshell-server --tests
• Docs validation
  • mise run docs
• E2E tests added/updated (if applicable)
  • Not applicable; this changes explicit profile discovery and CLI wiring, not sandbox runtime policy enforcement.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)
  • Not applicable; no architecture-doc change for this incremental provider profile discovery implementation.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1503.docs.buildwithfern.com/openshell

[github-actions]

Label test:e2e applied for 5eb1546. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.