diff --git a/container-bridge/Sources/Main.swift b/container-bridge/Sources/Main.swift index 8ce153a0..69817025 100644 --- a/container-bridge/Sources/Main.swift +++ b/container-bridge/Sources/Main.swift @@ -22,7 +22,7 @@ struct ContainerBridgeDaemon: AsyncParsableCommand { var port: Int = 50052 @Option(name: .long, help: "Host to bind to") - var host: String = "0.0.0.0" + var host: String = "127.0.0.1" func run() async throws { var logger = Logger(label: "com.openshell.container-bridge") diff --git a/crates/openshell-core/src/config.rs b/crates/openshell-core/src/config.rs index 2bfb7d47..c5440070 100644 --- a/crates/openshell-core/src/config.rs +++ b/crates/openshell-core/src/config.rs @@ -313,7 +313,7 @@ impl Config { } fn default_bind_address() -> SocketAddr { - "0.0.0.0:8080".parse().expect("valid default address") + "127.0.0.1:8080".parse().expect("valid default address") } fn default_log_level() -> String { @@ -349,5 +349,5 @@ const fn default_ssh_session_ttl_secs() -> u64 { } fn default_sandbox_backend() -> String { - "kubernetes".to_string() + "apple-container".to_string() } diff --git a/crates/openshell-sandbox/src/l7/mod.rs b/crates/openshell-sandbox/src/l7/mod.rs index 09e54788..cf9f9be0 100644 --- a/crates/openshell-sandbox/src/l7/mod.rs +++ b/crates/openshell-sandbox/src/l7/mod.rs @@ -47,9 +47,9 @@ pub enum TlsMode { #[derive(Debug, Clone, Copy, PartialEq, Eq, Default)] pub enum EnforcementMode { /// Log violations but allow traffic through (safe migration path). - #[default] Audit, /// Deny violations — blocked requests never reach upstream. + #[default] Enforce, } @@ -106,8 +106,8 @@ pub fn parse_l7_config(val: ®orus::Value) -> Option { }; let enforcement = match get_object_str(val, "enforcement").as_deref() { - Some("enforce") => EnforcementMode::Enforce, - _ => EnforcementMode::Audit, + Some("audit") => EnforcementMode::Audit, + _ => EnforcementMode::Enforce, }; Some(L7EndpointConfig { @@ -396,7 +396,7 @@ mod tests { let config = parse_l7_config(&val).unwrap(); assert_eq!(config.protocol, L7Protocol::Rest); assert_eq!(config.tls, TlsMode::Auto); - assert_eq!(config.enforcement, EnforcementMode::Audit); + assert_eq!(config.enforcement, EnforcementMode::Enforce); } #[test] diff --git a/crates/openshell-server/src/main.rs b/crates/openshell-server/src/main.rs index 4dd8e9e9..8f41eb87 100644 --- a/crates/openshell-server/src/main.rs +++ b/crates/openshell-server/src/main.rs @@ -18,7 +18,7 @@ use openshell_server::{run_server, tracing_bus::TracingLogBus}; #[command(version = openshell_core::VERSION)] #[command(about = "OpenShell gRPC/HTTP server", long_about = None)] struct Args { - /// Port to bind the server to (all interfaces). + /// Port to bind the server to (localhost only by default). #[arg(long, default_value_t = 8080, env = "OPENSHELL_SERVER_PORT")] port: u16, @@ -146,7 +146,7 @@ async fn main() -> Result<()> { ); // Build configuration - let bind = SocketAddr::from(([0, 0, 0, 0], args.port)); + let bind = SocketAddr::from(([127, 0, 0, 1], args.port)); let tls = if args.disable_tls { None