From 721f4bdca7feb72653a740a93a7ae21a68e5b0df Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:28:26 -0700
Subject: [PATCH 01/10] fix(install): restrict tar extraction to expected
 binary member

Prevents CWE-22 path traversal by extracting only the expected APP_NAME
member instead of the full archive contents. Adds --no-same-owner and
--no-same-permissions for defense-in-depth.

OS-20
---
 install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install.sh b/install.sh
index 565c48c0..0ad6eee6 100755
--- a/install.sh
+++ b/install.sh
@@ -277,7 +277,7 @@ main() {
 
   # Extract
   info "extracting..."
-  tar -xzf "${_tmpdir}/${_filename}" -C "${_tmpdir}"
+  tar -xzf "${_tmpdir}/${_filename}" -C "${_tmpdir}" --no-same-owner --no-same-permissions "${APP_NAME}"
 
   # Install
   mkdir -p "$_install_dir" 2>/dev/null || true

From b8307dc7e3dc5c93a40a94b83b8d4330679a8938 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:29:22 -0700
Subject: [PATCH 02/10] fix(deploy): quote registry credentials in YAML
 heredocs

Wraps username/password values with a yaml_quote helper to prevent YAML
injection from special characters in registry credentials (CWE-94).
Applied to all three heredoc blocks that emit registries.yaml auth.

OS-23
---
 deploy/docker/cluster-entrypoint.sh | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/deploy/docker/cluster-entrypoint.sh b/deploy/docker/cluster-entrypoint.sh
index 367665db..86d61e06 100644
--- a/deploy/docker/cluster-entrypoint.sh
+++ b/deploy/docker/cluster-entrypoint.sh
@@ -25,6 +25,15 @@
 
 set -e
 
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+# Escape a value for safe embedding as a YAML single-quoted scalar.
+# Single quotes are the only character that needs escaping ('  ->  '').
+yaml_quote() {
+    printf "'%s'" "$(printf '%s' "$1" | sed "s/'/''/g")"
+}
+
 # ---------------------------------------------------------------------------
 # Select iptables backend
 # ---------------------------------------------------------------------------
@@ -269,8 +278,8 @@ REGEOF
 configs:
   "${REGISTRY_HOST}":
     auth:
-      username: ${REGISTRY_USERNAME}
-      password: ${REGISTRY_PASSWORD}
+      username: $(yaml_quote "${REGISTRY_USERNAME}")
+      password: $(yaml_quote "${REGISTRY_PASSWORD}")
 REGEOF
     fi
 
@@ -284,8 +293,8 @@ REGEOF
             cat >> "$REGISTRIES_YAML" <<REGEOF
   "${COMMUNITY_REGISTRY_HOST}":
     auth:
-      username: ${COMMUNITY_REGISTRY_USERNAME}
-      password: ${COMMUNITY_REGISTRY_PASSWORD}
+      username: $(yaml_quote "${COMMUNITY_REGISTRY_USERNAME}")
+      password: $(yaml_quote "${COMMUNITY_REGISTRY_PASSWORD}")
 REGEOF
         else
             cat >> "$REGISTRIES_YAML" <<REGEOF
@@ -293,8 +302,8 @@ REGEOF
 configs:
   "${COMMUNITY_REGISTRY_HOST}":
     auth:
-      username: ${COMMUNITY_REGISTRY_USERNAME}
-      password: ${COMMUNITY_REGISTRY_PASSWORD}
+      username: $(yaml_quote "${COMMUNITY_REGISTRY_USERNAME}")
+      password: $(yaml_quote "${COMMUNITY_REGISTRY_PASSWORD}")
 REGEOF
         fi
     fi

From 77541a11e8bd570b13b4729db6f94ddcbf0c4803 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:30:01 -0700
Subject: [PATCH 03/10] fix(server): redact session token in SSH tunnel
 rate-limit log

Logs only the last 4 characters of bearer tokens to prevent credential
exposure in log aggregation systems (CWE-532).

OS-18
---
 crates/openshell-server/src/ssh_tunnel.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/crates/openshell-server/src/ssh_tunnel.rs b/crates/openshell-server/src/ssh_tunnel.rs
index 5dbff9b5..899f413b 100644
--- a/crates/openshell-server/src/ssh_tunnel.rs
+++ b/crates/openshell-server/src/ssh_tunnel.rs
@@ -28,6 +28,15 @@ const PREFACE_MAGIC: &str = "NSSH1";
 /// Maximum concurrent SSH tunnel connections per session token.
 const MAX_CONNECTIONS_PER_TOKEN: u32 = 3;
 
+/// Redact a bearer token for safe logging — show only the last 4 characters.
+fn redact_token(token: &str) -> String {
+    if token.len() <= 4 {
+        "****".to_string()
+    } else {
+        format!("****{}", &token[token.len() - 4..])
+    }
+}
+
 /// Maximum concurrent SSH tunnel connections per sandbox.
 const MAX_CONNECTIONS_PER_SANDBOX: u32 = 20;
 
@@ -116,7 +125,7 @@ async fn ssh_connect(
         let mut counts = state.ssh_connections_by_token.lock().unwrap();
         let count = counts.entry(token.clone()).or_insert(0);
         if *count >= MAX_CONNECTIONS_PER_TOKEN {
-            warn!(token = %token, "SSH tunnel: per-token connection limit reached");
+            warn!(token = %redact_token(&token), "SSH tunnel: per-token connection limit reached");
             return StatusCode::TOO_MANY_REQUESTS.into_response();
         }
         *count += 1;

From 2164677853e5aa0d77578ac1ca99129bcb8bf6c7 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:30:20 -0700
Subject: [PATCH 04/10] fix(server): escape gateway_display in auth connect
 page

Applies html_escape() to the Host/X-Forwarded-Host header value before
rendering it into the HTML template, preventing HTML injection (CWE-79).

OS-17
---
 crates/openshell-server/src/auth.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crates/openshell-server/src/auth.rs b/crates/openshell-server/src/auth.rs
index 5a3229ff..3e7e8afd 100644
--- a/crates/openshell-server/src/auth.rs
+++ b/crates/openshell-server/src/auth.rs
@@ -68,9 +68,11 @@ async fn auth_connect(
         .and_then(|v| v.to_str().ok())
         .map_or_else(|| state.config.bind_address.to_string(), String::from);
 
+    let safe_gateway = html_escape(&gateway_display);
+
     match cf_token {
         Some(token) => Html(render_connect_page(
-            &gateway_display,
+            &safe_gateway,
             params.callback_port,
             &token,
             &params.code,

From 3c0d7e8d11ed0e7af4a1afc96b92769f0e34ad19 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:34:59 -0700
Subject: [PATCH 05/10] fix(server): prevent XSS via code param with validation
 and proper JS escaping

Adds server-side validation rejecting confirmation codes that do not
match the CLI-generated format, replaces manual JS string escaping with
serde_json serialization (handling U+2028/U+2029 line terminators), and
adds a Content-Security-Policy header with nonce-based script-src.

OS-16
---
 crates/openshell-server/src/auth.rs | 138 +++++++++++++++++++++-------
 1 file changed, 106 insertions(+), 32 deletions(-)

diff --git a/crates/openshell-server/src/auth.rs b/crates/openshell-server/src/auth.rs
index 3e7e8afd..9fe7e9bb 100644
--- a/crates/openshell-server/src/auth.rs
+++ b/crates/openshell-server/src/auth.rs
@@ -22,11 +22,28 @@ use axum::{
     response::{Html, IntoResponse},
     routing::get,
 };
+use http::header;
 use serde::Deserialize;
 use std::sync::Arc;
 
 use crate::ServerState;
 
+/// Validate that a confirmation code matches the CLI-generated format.
+///
+/// Codes are 3 alphanumeric characters, a dash, then 4 alphanumeric characters
+/// (e.g., "AB7-X9KM"). The CLI generates these from the charset `[A-Z2-9]`.
+fn is_valid_code(code: &str) -> bool {
+    let bytes = code.as_bytes();
+    bytes.len() == 8
+        && bytes[3] == b'-'
+        && bytes[..3]
+            .iter()
+            .all(|b| b.is_ascii_uppercase() || b.is_ascii_digit())
+        && bytes[4..]
+            .iter()
+            .all(|b| b.is_ascii_uppercase() || b.is_ascii_digit())
+}
+
 #[derive(Deserialize)]
 struct ConnectParams {
     callback_port: u16,
@@ -54,6 +71,15 @@ async fn auth_connect(
     Query(params): Query<ConnectParams>,
     headers: HeaderMap,
 ) -> impl IntoResponse {
+    // Reject codes that don't match the CLI-generated format to prevent
+    // reflected XSS via crafted URLs.
+    if !is_valid_code(&params.code) {
+        return Html(
+            "<html><body><p>Invalid confirmation code format.</p></body></html>".to_string(),
+        )
+        .into_response();
+    }
+
     let cf_token = headers
         .get("cookie")
         .and_then(|v| v.to_str().ok())
@@ -71,13 +97,32 @@ async fn auth_connect(
     let safe_gateway = html_escape(&gateway_display);
 
     match cf_token {
-        Some(token) => Html(render_connect_page(
-            &safe_gateway,
-            params.callback_port,
-            &token,
-            &params.code,
-        )),
-        None => Html(render_waiting_page(params.callback_port, &params.code)),
+        Some(token) => {
+            let nonce = uuid::Uuid::new_v4().to_string();
+            let csp = format!(
+                "default-src 'none'; script-src 'nonce-{nonce}'; style-src 'unsafe-inline'; connect-src http://127.0.0.1:*"
+            );
+            (
+                [(header::CONTENT_SECURITY_POLICY, csp)],
+                Html(render_connect_page(
+                    &safe_gateway,
+                    params.callback_port,
+                    &token,
+                    &params.code,
+                    &nonce,
+                )),
+            )
+                .into_response()
+        }
+        None => {
+            let csp =
+                "default-src 'none'; style-src 'unsafe-inline'".to_string();
+            (
+                [(header::CONTENT_SECURITY_POLICY, csp)],
+                Html(render_waiting_page(params.callback_port, &params.code)),
+            )
+                .into_response()
+        }
     }
 }
 
@@ -106,22 +151,27 @@ fn render_connect_page(
     callback_port: u16,
     cf_token: &str,
     code: &str,
+    nonce: &str,
 ) -> String {
-    // Escape the token for safe embedding in a JS string literal.
-    let escaped_token = cf_token
-        .replace('\\', "\\\\")
-        .replace('\'', "\\'")
-        .replace('"', "\\\"")
-        .replace('<', "\\x3c")
-        .replace('>', "\\x3e");
+    // Use JSON serialization for JS-safe string embedding — handles all
+    // edge cases including \n, \r, U+2028, U+2029 that break JS string
+    // literals. serde_json::to_string produces a quoted JSON string
+    // (e.g., "value") which is a valid JS string literal.
+    //
+    // We additionally escape < and > to \u003c / \u003e because while
+    // they're valid in JSON, they're dangerous inside an HTML <script>
+    // block (the HTML parser sees </script> before the JS parser runs).
+    let json_token = serde_json::to_string(cf_token)
+        .unwrap_or_else(|_| "\"\"".to_string())
+        .replace('<', "\\u003c")
+        .replace('>', "\\u003e");
+    let json_code = serde_json::to_string(code)
+        .unwrap_or_else(|_| "\"\"".to_string())
+        .replace('<', "\\u003c")
+        .replace('>', "\\u003e");
 
-    // Escape the code the same way (it's alphanumeric + dash, but be safe).
-    let escaped_code = code
-        .replace('\\', "\\\\")
-        .replace('\'', "\\'")
-        .replace('"', "\\\"")
-        .replace('<', "\\x3c")
-        .replace('>', "\\x3e");
+    // HTML-safe version of the code for display in the page body.
+    let html_code = html_escape(code);
 
     let version = openshell_core::VERSION;
 
@@ -252,7 +302,7 @@ fn render_connect_page(
         <div class="subtitle">Connect to Gateway</div>
         <div class="code-box">
             <div class="code-label">Confirmation Code</div>
-            <div class="code-value">{escaped_code}</div>
+            <div class="code-value">{html_code}</div>
             <div class="code-hint">Verify this matches the code shown in your terminal</div>
         </div>
         <div class="info">
@@ -273,9 +323,9 @@ fn render_connect_page(
         </div>
         <div class="status" id="status"></div>
     </div>
-    <script>
-        var token = '{escaped_token}';
-        var code = '{escaped_code}';
+    <script nonce="{nonce}">
+        var token = {json_token};
+        var code = {json_code};
         var port = {callback_port};
         function connect() {{
             var btn = document.getElementById('connectBtn');
@@ -442,6 +492,7 @@ mod tests {
             12345,
             "test-jwt-token",
             "ABC-1234",
+            "test-nonce",
         );
         assert!(html.contains("test-jwt-token"));
         assert!(html.contains("12345"));
@@ -454,25 +505,48 @@ mod tests {
         // Should POST with JSON
         assert!(html.contains("method: 'POST'"));
         assert!(html.contains("JSON.stringify"));
+        // CSP nonce should be on the script tag
+        assert!(html.contains("nonce=\"test-nonce\""));
     }
 
     #[test]
     fn render_connect_page_escapes_special_chars() {
-        let html =
-            render_connect_page("gw", 1234, "token<script>alert('xss')</script>", "ABC-1234");
-        // < and > should be escaped
+        let html = render_connect_page(
+            "gw",
+            1234,
+            "token<script>alert('xss')</script>",
+            "ABC-1234",
+            "nonce",
+        );
+        // < and > should be escaped via JSON encoding (\u003c)
         assert!(!html.contains("<script>alert"));
-        assert!(html.contains("\\x3c"));
     }
 
     #[test]
     fn render_connect_page_includes_code_in_js_payload() {
-        let html = render_connect_page("gw", 1234, "jwt", "XY7-9KLM");
-        // The JS should send the code in the JSON payload
-        assert!(html.contains("var code = 'XY7-9KLM'"));
+        let html = render_connect_page("gw", 1234, "jwt", "XY7-9KLM", "nonce");
+        // The JS should send the code in the JSON payload (now JSON-encoded)
+        assert!(html.contains(r#"var code = "XY7-9KLM""#));
         assert!(html.contains("code: code"));
     }
 
+    #[test]
+    fn is_valid_code_accepts_valid_format() {
+        assert!(is_valid_code("AB7-X9KM"));
+        assert!(is_valid_code("222-AAAA"));
+        assert!(is_valid_code("ZZZ-9999"));
+    }
+
+    #[test]
+    fn is_valid_code_rejects_invalid_format() {
+        assert!(!is_valid_code(""));
+        assert!(!is_valid_code("too-long-code"));
+        assert!(!is_valid_code("abc-defg")); // lowercase
+        assert!(!is_valid_code("AB7X9KLM")); // no dash
+        assert!(!is_valid_code("AB7-9KL")); // too short
+        assert!(!is_valid_code("x\u{2028};fetch('//evil')//")); // XSS payload
+    }
+
     #[test]
     fn render_waiting_page_has_auto_refresh_with_code() {
         let html = render_waiting_page(12345, "ABC-1234");

From 1a961133888de0887ba8110b5ea7fe1534043ddd Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:36:04 -0700
Subject: [PATCH 06/10] fix(sandbox): add byte cap and idle timeout to
 streaming inference relay

Prevents resource exhaustion from upstream inference endpoints that stream
indefinitely or hold connections open. Adds a 32 MiB total body limit
and 30-second per-chunk idle timeout (CWE-400).

OS-21
---
 crates/openshell-sandbox/src/proxy.rs | 33 +++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/crates/openshell-sandbox/src/proxy.rs b/crates/openshell-sandbox/src/proxy.rs
index a7df76e2..9e87450d 100644
--- a/crates/openshell-sandbox/src/proxy.rs
+++ b/crates/openshell-sandbox/src/proxy.rs
@@ -23,6 +23,12 @@ use tracing::{debug, info, warn};
 const MAX_HEADER_BYTES: usize = 8192;
 const INFERENCE_LOCAL_HOST: &str = "inference.local";
 
+/// Maximum total bytes for a streaming inference response body (32 MiB).
+const MAX_STREAMING_BODY: usize = 32 * 1024 * 1024;
+
+/// Idle timeout per chunk when relaying streaming inference responses.
+const CHUNK_IDLE_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(30);
+
 /// Result of a proxy CONNECT policy decision.
 struct ConnectDecision {
     action: NetworkAction,
@@ -1045,18 +1051,35 @@ async fn route_inference_request(
                 let header_bytes = format_http_response_header(resp.status, &resp_headers);
                 write_all(tls_client, &header_bytes).await?;
 
-                // Stream body chunks as they arrive from the upstream.
+                // Stream body chunks with byte cap and idle timeout.
+                let mut total_bytes: usize = 0;
                 loop {
-                    match resp.next_chunk().await {
-                        Ok(Some(chunk)) => {
+                    match tokio::time::timeout(CHUNK_IDLE_TIMEOUT, resp.next_chunk()).await {
+                        Ok(Ok(Some(chunk))) => {
+                            total_bytes += chunk.len();
+                            if total_bytes > MAX_STREAMING_BODY {
+                                warn!(
+                                    total_bytes = total_bytes,
+                                    limit = MAX_STREAMING_BODY,
+                                    "streaming response exceeded byte limit, truncating"
+                                );
+                                break;
+                            }
                             let encoded = format_chunk(&chunk);
                             write_all(tls_client, &encoded).await?;
                         }
-                        Ok(None) => break,
-                        Err(e) => {
+                        Ok(Ok(None)) => break,
+                        Ok(Err(e)) => {
                             warn!(error = %e, "error reading upstream response chunk");
                             break;
                         }
+                        Err(_) => {
+                            warn!(
+                                idle_timeout_secs = CHUNK_IDLE_TIMEOUT.as_secs(),
+                                "streaming response chunk idle timeout, closing"
+                            );
+                            break;
+                        }
                     }
                 }
 

From f95590f7ed7c691f775f972c8f27deacecd04161 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:39:26 -0700
Subject: [PATCH 07/10] fix(policy): narrow port field from u32 to u16 to
 reject invalid values

Prevents meaningless port values >65535 from being accepted in policy
YAML definitions. The proto field remains uint32 (protobuf has no u16)
with validation at the conversion boundary.

OS-22
---
 crates/openshell-policy/src/lib.rs | 83 ++++++++++++++++--------------
 1 file changed, 45 insertions(+), 38 deletions(-)

diff --git a/crates/openshell-policy/src/lib.rs b/crates/openshell-policy/src/lib.rs
index 7adb4dfd..8f7ed22b 100644
--- a/crates/openshell-policy/src/lib.rs
+++ b/crates/openshell-policy/src/lib.rs
@@ -82,11 +82,12 @@ struct NetworkEndpointDef {
     #[serde(default, skip_serializing_if = "String::is_empty")]
     host: String,
     /// Single port (backwards compat). Mutually exclusive with `ports`.
+    /// Uses `u16` to reject invalid values >65535 at parse time.
     #[serde(default, skip_serializing_if = "is_zero")]
-    port: u32,
+    port: u16,
     /// Multiple ports. When non-empty, this endpoint covers all listed ports.
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    ports: Vec<u32>,
+    ports: Vec<u16>,
     #[serde(default, skip_serializing_if = "String::is_empty")]
     protocol: String,
     #[serde(default, skip_serializing_if = "String::is_empty")]
@@ -101,7 +102,7 @@ struct NetworkEndpointDef {
     allowed_ips: Vec<String>,
 }
 
-fn is_zero(v: &u32) -> bool {
+fn is_zero(v: &u16) -> bool {
     *v == 0
 }
 
@@ -169,10 +170,10 @@ fn to_proto(raw: PolicyFile) -> SandboxPolicy {
                     .map(|e| {
                         // Normalize port/ports: ports takes precedence, else
                         // single port is promoted to ports array.
-                        let normalized_ports = if !e.ports.is_empty() {
-                            e.ports
+                        let normalized_ports: Vec<u32> = if !e.ports.is_empty() {
+                            e.ports.into_iter().map(u32::from).collect()
                         } else if e.port > 0 {
-                            vec![e.port]
+                            vec![u32::from(e.port)]
                         } else {
                             vec![]
                         };
@@ -285,10 +286,12 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
                     .map(|e| {
                         // Use compact form: if ports has exactly 1 element,
                         // emit port (scalar). If >1, emit ports (array).
+                        // Proto uses u32; YAML uses u16. Clamp at boundary.
+                        let clamp = |v: u32| -> u16 { v.min(65535) as u16 };
                         let (port, ports) = if e.ports.len() > 1 {
-                            (0, e.ports.clone())
+                            (0, e.ports.iter().map(|&p| clamp(p)).collect())
                         } else {
-                            (e.ports.first().copied().unwrap_or(e.port), vec![])
+                            (clamp(e.ports.first().copied().unwrap_or(e.port)), vec![])
                         };
                         NetworkEndpointDef {
                             host: e.host.clone(),
@@ -931,11 +934,9 @@ network_policies:
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
         assert_eq!(violations.len(), 2);
-        assert!(
-            violations
-                .iter()
-                .all(|v| matches!(v, PolicyViolation::InvalidProcessIdentity { .. }))
-        );
+        assert!(violations
+            .iter()
+            .all(|v| matches!(v, PolicyViolation::InvalidProcessIdentity { .. })));
     }
 
     #[test]
@@ -953,11 +954,9 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(
-            violations
-                .iter()
-                .any(|v| matches!(v, PolicyViolation::PathTraversal { .. }))
-        );
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::PathTraversal { .. })));
     }
 
     #[test]
@@ -969,11 +968,9 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(
-            violations
-                .iter()
-                .any(|v| matches!(v, PolicyViolation::RelativePath { .. }))
-        );
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::RelativePath { .. })));
     }
 
     #[test]
@@ -985,11 +982,9 @@ network_policies:
             read_write: vec!["/".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(
-            violations
-                .iter()
-                .any(|v| matches!(v, PolicyViolation::OverlyBroadPath { .. }))
-        );
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::OverlyBroadPath { .. })));
     }
 
     #[test]
@@ -1031,11 +1026,9 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(
-            violations
-                .iter()
-                .any(|v| matches!(v, PolicyViolation::TooManyPaths { .. }))
-        );
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::TooManyPaths { .. })));
     }
 
     #[test]
@@ -1048,11 +1041,9 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(
-            violations
-                .iter()
-                .any(|v| matches!(v, PolicyViolation::FieldTooLong { .. }))
-        );
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::FieldTooLong { .. })));
     }
 
     #[test]
@@ -1207,4 +1198,20 @@ network_policies:
             proto2.network_policies["test"].endpoints[0].host
         );
     }
+
+    #[test]
+    fn rejects_port_above_65535() {
+        let yaml = r#"
+version: 1
+network_policies:
+  test:
+    endpoints:
+      - host: example.com
+        port: 70000
+"#;
+        assert!(
+            parse_sandbox_policy(yaml).is_err(),
+            "port >65535 should fail to parse"
+        );
+    }
 }

From 71329fbda91185623821d7c90c4b99d5b88e3335 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:41:46 -0700
Subject: [PATCH 08/10] fix(deps): migrate from archived serde_yaml to
 serde_yml

Replaces serde_yaml 0.9 (archived, RUSTSEC-2024-0320) with serde_yml
0.0.12, a maintained API-compatible fork. All import sites updated
across openshell-policy, openshell-sandbox, and openshell-router.

OS-19
---
 Cargo.toml                            |  2 +-
 crates/openshell-policy/Cargo.toml    |  2 +-
 crates/openshell-policy/src/lib.rs    |  4 ++--
 crates/openshell-router/Cargo.toml    |  2 +-
 crates/openshell-router/src/config.rs |  2 +-
 crates/openshell-sandbox/Cargo.toml   |  2 +-
 crates/openshell-sandbox/src/opa.rs   | 22 +++++++++-------------
 7 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 4fecf194..08b699d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -64,7 +64,7 @@ nix = { version = "0.29", features = ["signal", "process", "user", "fs", "term"]
 # Serialization
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-serde_yaml = "0.9"
+serde_yml = "0.0.12"
 
 # HTTP client
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
diff --git a/crates/openshell-policy/Cargo.toml b/crates/openshell-policy/Cargo.toml
index 311bb4e8..f26136c6 100644
--- a/crates/openshell-policy/Cargo.toml
+++ b/crates/openshell-policy/Cargo.toml
@@ -13,7 +13,7 @@ repository.workspace = true
 [dependencies]
 openshell-core = { path = "../openshell-core" }
 serde = { workspace = true }
-serde_yaml = { workspace = true }
+serde_yml = { workspace = true }
 miette = { workspace = true }
 
 [lints]
diff --git a/crates/openshell-policy/src/lib.rs b/crates/openshell-policy/src/lib.rs
index 8f7ed22b..a19d7902 100644
--- a/crates/openshell-policy/src/lib.rs
+++ b/crates/openshell-policy/src/lib.rs
@@ -361,7 +361,7 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
 
 /// Parse a sandbox policy from a YAML string.
 pub fn parse_sandbox_policy(yaml: &str) -> Result<SandboxPolicy> {
-    let raw: PolicyFile = serde_yaml::from_str(yaml)
+    let raw: PolicyFile = serde_yml::from_str(yaml)
         .into_diagnostic()
         .wrap_err("failed to parse sandbox policy YAML")?;
     Ok(to_proto(raw))
@@ -374,7 +374,7 @@ pub fn parse_sandbox_policy(yaml: &str) -> Result<SandboxPolicy> {
 /// and is round-trippable through `parse_sandbox_policy`.
 pub fn serialize_sandbox_policy(policy: &SandboxPolicy) -> Result<String> {
     let yaml_repr = from_proto(policy);
-    serde_yaml::to_string(&yaml_repr)
+    serde_yml::to_string(&yaml_repr)
         .into_diagnostic()
         .wrap_err("failed to serialize policy to YAML")
 }
diff --git a/crates/openshell-router/Cargo.toml b/crates/openshell-router/Cargo.toml
index dc8e9c92..e4c3d5ea 100644
--- a/crates/openshell-router/Cargo.toml
+++ b/crates/openshell-router/Cargo.toml
@@ -19,7 +19,7 @@ serde_json = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 tokio = { workspace = true }
-serde_yaml = { workspace = true }
+serde_yml = { workspace = true }
 uuid = { workspace = true }
 
 [dev-dependencies]
diff --git a/crates/openshell-router/src/config.rs b/crates/openshell-router/src/config.rs
index 52c22da9..b531e091 100644
--- a/crates/openshell-router/src/config.rs
+++ b/crates/openshell-router/src/config.rs
@@ -75,7 +75,7 @@ impl RouterConfig {
                 path.display()
             ))
         })?;
-        let config: Self = serde_yaml::from_str(&content).map_err(|e| {
+        let config: Self = serde_yml::from_str(&content).map_err(|e| {
             RouterError::Internal(format!(
                 "failed to parse router config {}: {e}",
                 path.display()
diff --git a/crates/openshell-sandbox/Cargo.toml b/crates/openshell-sandbox/Cargo.toml
index 68e696e9..e8e7e2c9 100644
--- a/crates/openshell-sandbox/Cargo.toml
+++ b/crates/openshell-sandbox/Cargo.toml
@@ -60,7 +60,7 @@ ipnet = "2"
 
 # Serialization
 serde_json = { workspace = true }
-serde_yaml = { workspace = true }
+serde_yml = { workspace = true }
 
 # Logging
 tracing = { workspace = true }
diff --git a/crates/openshell-sandbox/src/opa.rs b/crates/openshell-sandbox/src/opa.rs
index f1df12ff..10e40629 100644
--- a/crates/openshell-sandbox/src/opa.rs
+++ b/crates/openshell-sandbox/src/opa.rs
@@ -511,7 +511,7 @@ fn parse_process_policy(val: &regorus::Value) -> ProcessPolicy {
 
 /// Preprocess YAML policy data: parse, normalize, validate, expand access presets, return JSON.
 fn preprocess_yaml_data(yaml_str: &str) -> Result<String> {
-    let mut data: serde_json::Value = serde_yaml::from_str(yaml_str)
+    let mut data: serde_json::Value = serde_yml::from_str(yaml_str)
         .map_err(|e| miette::miette!("failed to parse YAML data: {e}"))?;
 
     // Normalize port → ports for all endpoints so Rego always sees "ports" array.
@@ -944,12 +944,10 @@ mod tests {
         let config = engine.query_sandbox_config().unwrap();
         assert!(config.filesystem.include_workdir);
         assert!(config.filesystem.read_only.contains(&PathBuf::from("/usr")));
-        assert!(
-            config
-                .filesystem
-                .read_write
-                .contains(&PathBuf::from("/tmp"))
-        );
+        assert!(config
+            .filesystem
+            .read_write
+            .contains(&PathBuf::from("/tmp")));
     }
 
     #[test]
@@ -1308,12 +1306,10 @@ network_policies:
         let config = engine.query_sandbox_config().unwrap();
         assert!(config.filesystem.include_workdir);
         assert!(config.filesystem.read_only.contains(&PathBuf::from("/usr")));
-        assert!(
-            config
-                .filesystem
-                .read_write
-                .contains(&PathBuf::from("/tmp"))
-        );
+        assert!(config
+            .filesystem
+            .read_write
+            .contains(&PathBuf::from("/tmp")));
         assert_eq!(config.process.run_as_user.as_deref(), Some("sandbox"));
         assert_eq!(config.process.run_as_group.as_deref(), Some("sandbox"));
     }

From 04825ee1a9598e18b3ae28803058a930d08c4e01 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:46:01 -0700
Subject: [PATCH 09/10] fix(server): re-validate sandbox-submitted
 security_notes and cap hit_count

The gateway now re-runs security heuristics on proposed policy chunks
instead of trusting sandbox-provided security_notes, validates host
wildcards, caps hit_count at 100, and clamps confidence to [0,1]. The
TUI approve-all path is updated to use ApproveAllDraftChunks RPC which
respects the security_notes filtering gate (CWE-284, confused deputy).

OS-15
---
 crates/openshell-server/src/grpc.rs | 64 ++++++++++++++++++++++---
 crates/openshell-tui/src/lib.rs     | 72 ++++++++++++++---------------
 2 files changed, 92 insertions(+), 44 deletions(-)

diff --git a/crates/openshell-server/src/grpc.rs b/crates/openshell-server/src/grpc.rs
index 911d2f09..288fb13d 100644
--- a/crates/openshell-server/src/grpc.rs
+++ b/crates/openshell-server/src/grpc.rs
@@ -1844,18 +1844,21 @@ impl OpenShell for OpenShellService {
                 rule_name: chunk.rule_name.clone(),
                 proposed_rule: proposed_rule_bytes,
                 rationale: chunk.rationale.clone(),
-                security_notes: chunk.security_notes.clone(),
-                confidence: f64::from(chunk.confidence),
+                // Re-compute security notes server-side — never trust
+                // sandbox-provided values (confused-deputy mitigation).
+                security_notes: generate_security_notes(
+                    &ep_host,
+                    u16::try_from(ep_port as u32).unwrap_or(0),
+                ),
+                confidence: f64::from(chunk.confidence.clamp(0.0, 1.0)),
                 created_at_ms: now_ms,
                 decided_at_ms: None,
                 host: ep_host,
                 port: ep_port,
                 binary: ep_binary,
-                hit_count: if chunk.hit_count > 0 {
-                    chunk.hit_count
-                } else {
-                    1
-                },
+                // Cap hit_count to a reasonable ceiling — don't trust
+                // sandbox-supplied counts.
+                hit_count: chunk.hit_count.clamp(1, 100),
                 first_seen_ms: if chunk.first_seen_ms > 0 {
                     chunk.first_seen_ms
                 } else {
@@ -3408,6 +3411,53 @@ fn policy_record_to_revision(record: &PolicyRecord, include_policy: bool) -> San
     }
 }
 
+/// Re-validate security notes server-side for a proposed policy chunk.
+///
+/// Duplicates the heuristics from the sandbox's `mechanistic_mapper` to
+/// ensure the gateway never trusts sandbox-provided security annotations.
+/// This prevents a confused-deputy attack where a compromised sandbox
+/// submits proposals with empty `security_notes` to bypass the safety
+/// gate during bulk approval (CWE-284).
+fn generate_security_notes(host: &str, port: u16) -> String {
+    let mut notes = Vec::new();
+
+    // Check for private/internal IP patterns.
+    if host.starts_with("10.")
+        || host.starts_with("172.")
+        || host.starts_with("192.168.")
+        || host == "localhost"
+        || host.starts_with("127.")
+    {
+        notes.push(format!(
+            "Destination '{host}' appears to be an internal/private address."
+        ));
+    }
+
+    // Host wildcard — broadly permissive.
+    if host.contains('*') {
+        notes.push(format!(
+            "Host '{host}' contains a wildcard — this may match unintended destinations."
+        ));
+    }
+
+    // Ephemeral port range.
+    if port > 49152 {
+        notes.push(format!(
+            "Port {port} is in the ephemeral range — this may be a temporary service."
+        ));
+    }
+
+    // Well-known database / service ports.
+    const DB_PORTS: [u16; 7] = [5432, 3306, 6379, 27017, 9200, 11211, 5672];
+    if DB_PORTS.contains(&port) {
+        notes.push(format!(
+            "Port {port} is a well-known database/service port."
+        ));
+    }
+
+    notes.join(" ")
+}
+
 fn current_time_ms() -> Result<i64, std::time::SystemTimeError> {
     let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH)?;
     Ok(i64::try_from(now.as_millis()).unwrap_or(i64::MAX))
diff --git a/crates/openshell-tui/src/lib.rs b/crates/openshell-tui/src/lib.rs
index 04fdf568..81edf485 100644
--- a/crates/openshell-tui/src/lib.rs
+++ b/crates/openshell-tui/src/lib.rs
@@ -1753,13 +1753,15 @@ fn spawn_draft_reject(app: &App, tx: mpsc::UnboundedSender<Event>) {
     });
 }
 
-/// Approve the snapshotted draft chunks one by one.
+/// Approve all pending draft chunks via the bulk `ApproveAllDraftChunks` RPC.
 ///
-/// Only the chunks captured when `[A]` was pressed are approved — any new
-/// chunks that arrived while the confirmation modal was open are skipped.
+/// Uses the server-side bulk endpoint which respects the `security_notes`
+/// safety gate — security-flagged chunks are skipped unless explicitly
+/// included. The `snapshot` parameter is retained for the confirmation
+/// modal count display but is not iterated for per-chunk approval.
 fn spawn_draft_approve_all(
     app: &App,
-    snapshot: Vec<openshell_core::proto::PolicyChunk>,
+    _snapshot: Vec<openshell_core::proto::PolicyChunk>,
     tx: mpsc::UnboundedSender<Event>,
 ) {
     let mut client = app.client.clone();
@@ -1769,41 +1771,37 @@ fn spawn_draft_approve_all(
     };
 
     tokio::spawn(async move {
-        let total = snapshot.len();
-        let mut approved = 0u32;
-        let mut last_version = 0u32;
-        let mut errors: Vec<String> = Vec::new();
-
-        for chunk in &snapshot {
-            let req = openshell_core::proto::ApproveDraftChunkRequest {
-                name: name.clone(),
-                chunk_id: chunk.id.clone(),
-            };
-            match tokio::time::timeout(Duration::from_secs(5), client.approve_draft_chunk(req))
-                .await
-            {
-                Ok(Ok(resp)) => {
-                    approved += 1;
-                    last_version = resp.into_inner().policy_version;
-                }
-                Ok(Err(e)) => {
-                    errors.push(format!("{}: {}", chunk.rule_name, e.message()));
-                }
-                Err(_) => {
-                    errors.push(format!("{}: timed out", chunk.rule_name));
-                }
+        let req = openshell_core::proto::ApproveAllDraftChunksRequest {
+            name,
+            include_security_flagged: false,
+        };
+        match tokio::time::timeout(Duration::from_secs(30), client.approve_all_draft_chunks(req))
+            .await
+        {
+            Ok(Ok(resp)) => {
+                let inner = resp.into_inner();
+                let msg = if inner.chunks_skipped > 0 {
+                    format!(
+                        "Approved {} chunks, skipped {} security-flagged -> policy v{}",
+                        inner.chunks_approved, inner.chunks_skipped, inner.policy_version
+                    )
+                } else {
+                    format!(
+                        "Approved {} chunks -> policy v{}",
+                        inner.chunks_approved, inner.policy_version
+                    )
+                };
+                let _ = tx.send(Event::DraftActionResult(Ok(msg)));
+            }
+            Ok(Err(e)) => {
+                let _ = tx.send(Event::DraftActionResult(Err(e.message().to_string())));
+            }
+            Err(_) => {
+                let _ = tx.send(Event::DraftActionResult(Err(
+                    "approve-all timed out".to_string(),
+                )));
             }
         }
-
-        let msg = if errors.is_empty() {
-            format!("Approved {approved}/{total} chunks -> policy v{last_version}")
-        } else {
-            format!(
-                "Approved {approved}/{total} chunks (errors: {})",
-                errors.join("; ")
-            )
-        };
-        let _ = tx.send(Event::DraftActionResult(Ok(msg)));
     });
 }
 

From 938a2b287ca6a3072b14afb6a488e37cd0e4d783 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Thu, 2 Apr 2026 15:59:29 -0700
Subject: [PATCH 10/10] chore: apply cargo fmt and update Cargo.lock for
 serde_yml

---
 Cargo.lock                          | 45 +++++++++++++++++++++------
 crates/openshell-policy/src/lib.rs  | 48 ++++++++++++++++++-----------
 crates/openshell-sandbox/src/opa.rs | 20 +++++++-----
 crates/openshell-server/src/auth.rs |  3 +-
 crates/openshell-tui/src/lib.rs     |  9 ++++--
 5 files changed, 84 insertions(+), 41 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 7d20c9bd..852d97a0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -125,7 +125,7 @@ version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -136,7 +136,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
 dependencies = [
  "anstyle",
  "once_cell_polyfill",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1283,7 +1283,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -2497,6 +2497,16 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "libyml"
+version = "0.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3302702afa434ffa30847a83305f0a69d6abd74293b6554c18ec85c7ef30c980"
+dependencies = [
+ "anyhow",
+ "version_check",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.4.15"
@@ -2691,7 +2701,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -2902,7 +2912,7 @@ dependencies = [
  "miette",
  "openshell-core",
  "serde",
- "serde_yaml",
+ "serde_yml",
 ]
 
 [[package]]
@@ -2922,7 +2932,7 @@ dependencies = [
  "reqwest",
  "serde",
  "serde_json",
- "serde_yaml",
+ "serde_yml",
  "tempfile",
  "thiserror 2.0.18",
  "tokio",
@@ -2958,7 +2968,7 @@ dependencies = [
  "rustls-pemfile",
  "seccompiler",
  "serde_json",
- "serde_yaml",
+ "serde_yml",
  "sha2 0.10.9",
  "temp-env",
  "tempfile",
@@ -4044,7 +4054,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.12.1",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4348,6 +4358,21 @@ dependencies = [
  "unsafe-libyaml",
 ]
 
+[[package]]
+name = "serde_yml"
+version = "0.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59e2dd588bf1597a252c3b920e0143eb99b0f76e4e082f4c92ce34fbc9e71ddd"
+dependencies = [
+ "indexmap 2.13.0",
+ "itoa",
+ "libyml",
+ "memchr",
+ "ryu",
+ "serde",
+ "version_check",
+]
+
 [[package]]
 name = "serdect"
 version = "0.4.2"
@@ -4519,7 +4544,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
  "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4930,7 +4955,7 @@ dependencies = [
  "getrandom 0.4.2",
  "once_cell",
  "rustix 1.1.4",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
diff --git a/crates/openshell-policy/src/lib.rs b/crates/openshell-policy/src/lib.rs
index a19d7902..9cf543bd 100644
--- a/crates/openshell-policy/src/lib.rs
+++ b/crates/openshell-policy/src/lib.rs
@@ -934,9 +934,11 @@ network_policies:
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
         assert_eq!(violations.len(), 2);
-        assert!(violations
-            .iter()
-            .all(|v| matches!(v, PolicyViolation::InvalidProcessIdentity { .. })));
+        assert!(
+            violations
+                .iter()
+                .all(|v| matches!(v, PolicyViolation::InvalidProcessIdentity { .. }))
+        );
     }
 
     #[test]
@@ -954,9 +956,11 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(violations
-            .iter()
-            .any(|v| matches!(v, PolicyViolation::PathTraversal { .. })));
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::PathTraversal { .. }))
+        );
     }
 
     #[test]
@@ -968,9 +972,11 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(violations
-            .iter()
-            .any(|v| matches!(v, PolicyViolation::RelativePath { .. })));
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::RelativePath { .. }))
+        );
     }
 
     #[test]
@@ -982,9 +988,11 @@ network_policies:
             read_write: vec!["/".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(violations
-            .iter()
-            .any(|v| matches!(v, PolicyViolation::OverlyBroadPath { .. })));
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::OverlyBroadPath { .. }))
+        );
     }
 
     #[test]
@@ -1026,9 +1034,11 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(violations
-            .iter()
-            .any(|v| matches!(v, PolicyViolation::TooManyPaths { .. })));
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::TooManyPaths { .. }))
+        );
     }
 
     #[test]
@@ -1041,9 +1051,11 @@ network_policies:
             read_write: vec!["/tmp".into()],
         });
         let violations = validate_sandbox_policy(&policy).unwrap_err();
-        assert!(violations
-            .iter()
-            .any(|v| matches!(v, PolicyViolation::FieldTooLong { .. })));
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::FieldTooLong { .. }))
+        );
     }
 
     #[test]
diff --git a/crates/openshell-sandbox/src/opa.rs b/crates/openshell-sandbox/src/opa.rs
index 10e40629..f1c0ad29 100644
--- a/crates/openshell-sandbox/src/opa.rs
+++ b/crates/openshell-sandbox/src/opa.rs
@@ -944,10 +944,12 @@ mod tests {
         let config = engine.query_sandbox_config().unwrap();
         assert!(config.filesystem.include_workdir);
         assert!(config.filesystem.read_only.contains(&PathBuf::from("/usr")));
-        assert!(config
-            .filesystem
-            .read_write
-            .contains(&PathBuf::from("/tmp")));
+        assert!(
+            config
+                .filesystem
+                .read_write
+                .contains(&PathBuf::from("/tmp"))
+        );
     }
 
     #[test]
@@ -1306,10 +1308,12 @@ network_policies:
         let config = engine.query_sandbox_config().unwrap();
         assert!(config.filesystem.include_workdir);
         assert!(config.filesystem.read_only.contains(&PathBuf::from("/usr")));
-        assert!(config
-            .filesystem
-            .read_write
-            .contains(&PathBuf::from("/tmp")));
+        assert!(
+            config
+                .filesystem
+                .read_write
+                .contains(&PathBuf::from("/tmp"))
+        );
         assert_eq!(config.process.run_as_user.as_deref(), Some("sandbox"));
         assert_eq!(config.process.run_as_group.as_deref(), Some("sandbox"));
     }
diff --git a/crates/openshell-server/src/auth.rs b/crates/openshell-server/src/auth.rs
index 9fe7e9bb..b896d062 100644
--- a/crates/openshell-server/src/auth.rs
+++ b/crates/openshell-server/src/auth.rs
@@ -115,8 +115,7 @@ async fn auth_connect(
                 .into_response()
         }
         None => {
-            let csp =
-                "default-src 'none'; style-src 'unsafe-inline'".to_string();
+            let csp = "default-src 'none'; style-src 'unsafe-inline'".to_string();
             (
                 [(header::CONTENT_SECURITY_POLICY, csp)],
                 Html(render_waiting_page(params.callback_port, &params.code)),
diff --git a/crates/openshell-tui/src/lib.rs b/crates/openshell-tui/src/lib.rs
index 81edf485..e8759999 100644
--- a/crates/openshell-tui/src/lib.rs
+++ b/crates/openshell-tui/src/lib.rs
@@ -1775,8 +1775,11 @@ fn spawn_draft_approve_all(
             name,
             include_security_flagged: false,
         };
-        match tokio::time::timeout(Duration::from_secs(30), client.approve_all_draft_chunks(req))
-            .await
+        match tokio::time::timeout(
+            Duration::from_secs(30),
+            client.approve_all_draft_chunks(req),
+        )
+        .await
         {
             Ok(Ok(resp)) => {
                 let inner = resp.into_inner();
@@ -1798,7 +1801,7 @@ fn spawn_draft_approve_all(
             }
             Err(_) => {
                 let _ = tx.send(Event::DraftActionResult(Err(
-                    "approve-all timed out".to_string(),
+                    "approve-all timed out".to_string()
                 )));
             }
         }