diff --git a/crates/openshell-server/src/grpc.rs b/crates/openshell-server/src/grpc.rs index 450685ff..3ed2fad0 100644 --- a/crates/openshell-server/src/grpc.rs +++ b/crates/openshell-server/src/grpc.rs @@ -901,8 +901,23 @@ impl OpenShell for OpenShellService { &self, request: Request, ) -> Result, Status> { + // Verify caller identity: the requesting sandbox must only access its + // own provider environment. The x-sandbox-id metadata header is set by + // the sandbox supervisor when it calls back to the gateway. + let caller_sandbox_id = request + .metadata() + .get("x-sandbox-id") + .and_then(|v| v.to_str().ok()) + .ok_or_else(|| Status::permission_denied("missing x-sandbox-id header"))?; + let sandbox_id = request.into_inner().sandbox_id; + if caller_sandbox_id != sandbox_id { + return Err(Status::permission_denied( + "cannot access another sandbox's provider environment", + )); + } + let sandbox = self .state .store diff --git a/crates/openshell-server/src/main.rs b/crates/openshell-server/src/main.rs index 4dd8e9e9..9acef6cc 100644 --- a/crates/openshell-server/src/main.rs +++ b/crates/openshell-server/src/main.rs @@ -139,6 +139,15 @@ async fn main() -> Result<()> { let args = Args::parse(); + // Require explicit acknowledgment for insecure mode. + if args.disable_tls && std::env::var("OPENSHELL_ALLOW_INSECURE").as_deref() != Ok("1") { + eprintln!( + "ERROR: --disable-tls removes all transport security.\n\ + Set OPENSHELL_ALLOW_INSECURE=1 to confirm." + ); + std::process::exit(1); + } + // Initialize tracing let tracing_log_bus = TracingLogBus::new(); tracing_log_bus.install_subscriber( @@ -229,6 +238,7 @@ async fn main() -> Result<()> { } if args.disable_tls { + eprintln!("WARNING: TLS disabled — all traffic is plaintext"); info!("TLS disabled — listening on plaintext HTTP"); } else if args.disable_gateway_auth { info!("Gateway auth disabled — accepting connections without client certificates");