Default-secure: localhost bind, enforce mode, apple-container backend

container-bridge/Sources/Main.swift

@@ -22,7 +22,7 @@ struct ContainerBridgeDaemon: AsyncParsableCommand {
     var port: Int = 50052
 
     @Option(name: .long, help: "Host to bind to")
-    var host: String = "0.0.0.0"
+    var host: String = "127.0.0.1"
 
     func run() async throws {
         var logger = Logger(label: "com.openshell.container-bridge")

crates/openshell-core/src/config.rs

@@ -313,7 +313,7 @@ impl Config {
 }
 
 fn default_bind_address() -> SocketAddr {
-    "0.0.0.0:8080".parse().expect("valid default address")
+    "127.0.0.1:8080".parse().expect("valid default address")
 }
 
 fn default_log_level() -> String {
@@ -349,5 +349,5 @@ const fn default_ssh_session_ttl_secs() -> u64 {
 }
 
 fn default_sandbox_backend() -> String {
-    "kubernetes".to_string()
+    "apple-container".to_string()
 }

crates/openshell-sandbox/src/l7/mod.rs

@@ -47,9 +47,9 @@ pub enum TlsMode {
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
 pub enum EnforcementMode {
     /// Log violations but allow traffic through (safe migration path).
-    #[default]
     Audit,
     /// Deny violations — blocked requests never reach upstream.
+    #[default]
     Enforce,
 }
 
@@ -106,8 +106,8 @@ pub fn parse_l7_config(val: &regorus::Value) -> Option<L7EndpointConfig> {
     };
 
     let enforcement = match get_object_str(val, "enforcement").as_deref() {
-        Some("enforce") => EnforcementMode::Enforce,
-        _ => EnforcementMode::Audit,
+        Some("audit") => EnforcementMode::Audit,
+        _ => EnforcementMode::Enforce,
     };
 
     Some(L7EndpointConfig {
@@ -396,7 +396,7 @@ mod tests {
         let config = parse_l7_config(&val).unwrap();
         assert_eq!(config.protocol, L7Protocol::Rest);
         assert_eq!(config.tls, TlsMode::Auto);
-        assert_eq!(config.enforcement, EnforcementMode::Audit);
+        assert_eq!(config.enforcement, EnforcementMode::Enforce);
     }
 
     #[test]

crates/openshell-server/src/main.rs

@@ -18,7 +18,7 @@ use openshell_server::{run_server, tracing_bus::TracingLogBus};
 #[command(version = openshell_core::VERSION)]
 #[command(about = "OpenShell gRPC/HTTP server", long_about = None)]
 struct Args {
-    /// Port to bind the server to (all interfaces).
+    /// Port to bind the server to (localhost only by default).
     #[arg(long, default_value_t = 8080, env = "OPENSHELL_SERVER_PORT")]
     port: u16,
 
@@ -146,7 +146,7 @@ async fn main() -> Result<()> {
     );
 
     // Build configuration
-    let bind = SocketAddr::from(([0, 0, 0, 0], args.port));
+    let bind = SocketAddr::from(([127, 0, 0, 1], args.port));
 
     let tls = if args.disable_tls {
         None