fix(security): phase 1 hardening — sudo allowlist, token expiry, gateway secret

Addresses three ship-blocking findings from the feat/autopilot security audit:

#1 [CRITICAL] Sandbox passwordless sudo narrowed to package managers only
  - Replace `NOPASSWD: ALL` with a scoped Cmnd_Alias covering apt-get, apt,
    dpkg, pip, uv, npm, bun. Validate via `visudo -c` at image build.
  - Claude can still `sudo apt-get install` mid-session (95% case); arbitrary
    privilege escalation inside the container is blocked.
  - Operators must rebuild the sandbox image for the change to take effect.

#2 [CRITICAL] Deployment tokens now expire
  - Workspace session token: 6h TTL (was: never).
  - Autopilot run token: 2h TTL (was: never).
  - Wildcard permissions retained for now — the memory/workspace handlers
    gate on admin Permission, not deployment-token permissions, so real
    scoping requires new permission variants. Tracked for Phase 2.

#3 [HIGH] Preview gateway shared secret is now required + auto-managed
  - `temps serve` generates `\$TEMPS_DATA_DIR/preview_gateway.secret` on
    first boot (32 random bytes, hex, 0600) and exports it as
    `PREVIEW_GATEWAY_SHARED_SECRET` so the Pingora proxy injects it on
    every forwarded preview request.
  - `preview_gateway::spawn_reconcile` passes the secret into the
    container env on create.
  - `temps-preview-gateway` binary now refuses to start without the secret.
  - Blocks cross-sandbox/cross-tenant direct hits to 127.0.0.1:8090 that
    would otherwise bypass the preview-password wall.

Author: dviejokfs

Cargo.lock

@@ -39,3 +39,5 @@ http-body-util = { workspace = true }
 tar = "0.4"
 pulldown-cmark = "0.12"
 libc = { workspace = true }
+rand = { workspace = true }
+hex = "0.4"

crates/temps-agents/Cargo.toml

@@ -39,6 +39,81 @@ use tracing::{debug, info, warn};
 /// Pinned image reference. Bumped per release. Never `:latest`.
 pub const PREVIEW_GATEWAY_IMAGE: &str = "kfsoftware/temps-preview-gateway:dev";
 
+/// Filename inside `TEMPS_DATA_DIR` that holds the gateway shared secret.
+/// The file is created with 0600 perms on first boot if missing; the same
+/// value is then injected into (a) the gateway container env and (b) the
+/// `PREVIEW_GATEWAY_SHARED_SECRET` env of the current process so the
+/// host-side Pingora can pick it up and inject the `X-Temps-Preview-Token`
+/// header on every forwarded preview request.
+const PREVIEW_GATEWAY_SECRET_FILE: &str = "preview_gateway.secret";
+
+/// Ensure a shared-secret file exists under `data_dir`, generating a fresh
+/// 32-byte random secret (hex-encoded) if missing. Sets restrictive perms on
+/// first write. Returns the secret as a hex string.
+///
+/// Also exports the secret into `PREVIEW_GATEWAY_SHARED_SECRET` for the
+/// current process so in-process subsystems (notably the Pingora proxy's
+/// preview route) can read it via `std::env::var` without plumbing state.
+pub fn ensure_shared_secret(data_dir: &std::path::Path) -> Result<String> {
+    let path = data_dir.join(PREVIEW_GATEWAY_SECRET_FILE);
+
+    let secret = match std::fs::read_to_string(&path) {
+        Ok(existing) => {
+            let trimmed = existing.trim().to_string();
+            if trimmed.is_empty() {
+                return Err(anyhow!(
+                    "preview gateway secret file {} is empty",
+                    path.display()
+                ));
+            }
+            trimmed
+        }
+        Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+            // Generate a fresh 32-byte random secret.
+            use rand::RngCore;
+            let mut bytes = [0u8; 32];
+            rand::thread_rng().fill_bytes(&mut bytes);
+            let hex = hex::encode(bytes);
+
+            // Make sure the parent dir exists.
+            if !data_dir.exists() {
+                std::fs::create_dir_all(data_dir)
+                    .with_context(|| format!("failed to create data dir {}", data_dir.display()))?;
+            }
+            std::fs::write(&path, &hex)
+                .with_context(|| format!("failed to write {}", path.display()))?;
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                let _ = std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600));
+            }
+            info!(
+                path = %path.display(),
+                "generated new preview gateway shared secret"
+            );
+            hex
+        }
+        Err(e) => {
+            return Err(anyhow!(
+                "failed to read preview gateway secret file {}: {}",
+                path.display(),
+                e
+            ));
+        }
+    };
+
+    // Export for the in-process proxy to pick up at request time.
+    // SAFETY: set_var is marked unsafe on newer Rust due to multi-threaded
+    // env races. We call this only during single-threaded startup before
+    // the proxy begins serving, so it is safe in practice.
+    #[allow(unused_unsafe)]
+    unsafe {
+        std::env::set_var("PREVIEW_GATEWAY_SHARED_SECRET", &secret);
+    }
+
+    Ok(secret)
+}
+
 /// Container name for the singleton gateway on this host.
 pub const PREVIEW_GATEWAY_CONTAINER: &str = "temps-preview-gateway";
 
@@ -58,6 +133,10 @@ pub struct PreviewGatewaySpec {
     pub container_name: String,
     pub network: String,
     pub host_port: u16,
+    /// Shared secret the gateway will require on every request via the
+    /// `X-Temps-Preview-Token` header. When empty, the gateway is started
+    /// in legacy open mode — callers SHOULD always pass a non-empty value.
+    pub shared_secret: String,
 }
 
 impl Default for PreviewGatewaySpec {
@@ -67,6 +146,7 @@ impl Default for PreviewGatewaySpec {
             container_name: PREVIEW_GATEWAY_CONTAINER.to_string(),
             network: PREVIEW_GATEWAY_NETWORK.to_string(),
             host_port: DEFAULT_PREVIEW_GATEWAY_HOST_PORT,
+            shared_secret: String::new(),
         }
     }
 }
@@ -91,6 +171,7 @@ impl PreviewGatewaySpec {
             container_name: PREVIEW_GATEWAY_CONTAINER.to_string(),
             network: PREVIEW_GATEWAY_NETWORK.to_string(),
             host_port,
+            shared_secret: String::new(),
         }
     }
 }
@@ -321,12 +402,21 @@ async fn create_and_start(docker: &Docker, spec: &PreviewGatewaySpec) -> Result<
         image: Some(spec.image.clone()),
         exposed_ports: Some(exposed_ports),
         host_config: Some(host_config),
-        env: Some(vec![
-            // Inside the container we MUST bind 0.0.0.0 — the host loopback
-            // restriction is enforced by the `-p 127.0.0.1:…` publish above.
-            format!("LISTEN_ADDR=0.0.0.0:{}", GATEWAY_CONTAINER_PORT),
-            "RUST_LOG=info".to_string(),
-        ]),
+        env: Some({
+            let mut e = vec![
+                // Inside the container we MUST bind 0.0.0.0 — the host loopback
+                // restriction is enforced by the `-p 127.0.0.1:…` publish above.
+                format!("LISTEN_ADDR=0.0.0.0:{}", GATEWAY_CONTAINER_PORT),
+                "RUST_LOG=info".to_string(),
+            ];
+            if !spec.shared_secret.is_empty() {
+                e.push(format!(
+                    "PREVIEW_GATEWAY_SHARED_SECRET={}",
+                    spec.shared_secret
+                ));
+            }
+            e
+        }),
         ..Default::default()
     };
 
@@ -365,10 +455,29 @@ pub fn spawn_reconcile(
     rt: &tokio::runtime::Runtime,
     docker: Arc<Docker>,
     db: Arc<DatabaseConnection>,
+    data_dir: std::path::PathBuf,
 ) {
+    // Ensure the shared secret exists BEFORE spawning the reconciler so that
+    // the proxy (which reads the env var at request time) sees it even if the
+    // reconcile task hasn't run yet. A reconcile failure should not leave the
+    // proxy open — but secret-generation errors MUST not crash the server, so
+    // we log loudly and continue (the gateway container will then refuse to
+    // start and preview URLs just stay down).
+    let shared_secret = match ensure_shared_secret(&data_dir) {
+        Ok(s) => s,
+        Err(e) => {
+            warn!(
+                "❌ failed to ensure preview gateway shared secret: {} — workspace previews disabled",
+                e
+            );
+            String::new()
+        }
+    };
+
     rt.spawn(async move {
         let settings = load_settings(&db).await;
         let mut spec = PreviewGatewaySpec::from_settings(&settings);
+        spec.shared_secret = shared_secret;
 
         if !settings.auto_upgrade {
             // Honor whatever image is currently running. Falls back to the

crates/temps-agents/src/preview_gateway.rs

@@ -152,7 +152,12 @@ RUN EXISTING_USER=$(getent passwd 1000 | cut -d: -f1) \
          (groupdel "$EXISTING_USER" 2>/dev/null || true); \
        fi \
     && useradd -m -s /bin/bash -u 1000 temps \
-    && echo "temps ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/temps
+    && echo '# temps sandbox: scoped sudo for package install only.' > /etc/sudoers.d/temps \
+    && echo 'Cmnd_Alias TEMPS_PKG = /usr/bin/apt, /usr/bin/apt-get, /usr/bin/dpkg, /usr/bin/pip, /usr/bin/pip3, /usr/local/bin/uv, /usr/bin/npm, /usr/local/bin/bun' >> /etc/sudoers.d/temps \
+    && echo 'temps ALL=(ALL) NOPASSWD: TEMPS_PKG' >> /etc/sudoers.d/temps \
+    && echo 'Defaults:temps !requiretty, !log_input, !log_output' >> /etc/sudoers.d/temps \
+    && chmod 0440 /etc/sudoers.d/temps \
+    && visudo -c -f /etc/sudoers.d/temps
 RUN mkdir -p /workspace && chown temps:temps /workspace
 # /run/temps-pty holds one Unix socket per terminal tab (one per {{kind,tab}}
 # pair). dtach creates these sockets on first attach; subsequent reconnects

crates/temps-agents/src/sandbox/docker.rs

@@ -196,12 +196,18 @@ impl AgentExecutor {
                 None => return None,
             }
         };
+        // Token lifetime: 2 hours. Autopilot runs have an internal timeout
+        // well under this, so any token still usable after 2h belongs to a
+        // run that has already completed or died — we'd rather the token
+        // expire than linger. See Phase 2 of the security plan for
+        // fine-grained permission scoping beyond expiry.
+        let expires_at = chrono::Utc::now() + chrono::Duration::hours(2);
         let request = CreateDeploymentTokenRequest {
             name: format!("workflow-run-{}-{}", agent_slug, run_id),
             environment_id: None,
             deployment_id: None,
             permissions: Some(vec!["*".to_string()]),
-            expires_at: None,
+            expires_at: Some(expires_at),
         };
         match svc.create_token(project_id, None, request).await {
             Ok(response) => Some(response.token),

crates/temps-agents/src/services/executor.rs

@@ -235,7 +235,16 @@ impl ServeCommand {
         // the gateway container. It MUST NOT block proxy startup — workspace
         // previews are a non-critical subsystem.
         if let Some(docker) = docker_handle.clone() {
-            temps_agents::preview_gateway::spawn_reconcile(&rt, docker, db.clone());
+            let data_dir = self
+                .data_dir
+                .clone()
+                .or_else(|| std::env::var("TEMPS_DATA_DIR").ok().map(PathBuf::from))
+                .unwrap_or_else(|| {
+                    dirs::home_dir()
+                        .unwrap_or_else(|| PathBuf::from("."))
+                        .join(".temps")
+                });
+            temps_agents::preview_gateway::spawn_reconcile(&rt, docker, db.clone(), data_dir);
         }
 
         // Start console API server in background (non-blocking).

crates/temps-cli/src/commands/serve/mod.rs

@@ -101,16 +101,22 @@ impl Config {
             .and_then(|s| s.parse().ok())
             .unwrap_or(DEFAULT_MAX_HEADER_BYTES);
 
+        // Require PREVIEW_GATEWAY_SHARED_SECRET. Without it, any local process
+        // or other container on the shared bridge network can reach the gateway
+        // and proxy traffic to any sandbox, bypassing the host-side preview
+        // password wall. We fail fast so misconfigurations are loud.
         let shared_secret = std::env::var("PREVIEW_GATEWAY_SHARED_SECRET")
             .ok()
-            .filter(|s| !s.is_empty());
-        if shared_secret.is_none() {
-            warn!(
-                "PREVIEW_GATEWAY_SHARED_SECRET is unset — gateway will accept \
-                 unauthenticated requests. Set it in production so only the \
-                 host-side Pingora can talk to the gateway."
-            );
-        }
+            .filter(|s| !s.is_empty())
+            .ok_or_else(|| {
+                anyhow!(
+                    "PREVIEW_GATEWAY_SHARED_SECRET is unset or empty. The gateway refuses \
+                     to start without a shared secret; the host-side Temps control plane \
+                     auto-generates one under TEMPS_DATA_DIR/preview_gateway.secret and \
+                     injects it on container creation."
+                )
+            })?;
+        let shared_secret = Some(shared_secret);
 
         Ok(Self {
             listen_addr,

crates/temps-preview-gateway/src/main.rs

@@ -1516,12 +1516,23 @@ impl MessageExecutor {
             }
         }
 
+        // Token lifetime: 6 hours. Long enough for a realistic interactive
+        // Claude/agent session, short enough that a leaked env-var token
+        // stops being useful within one work session. The stale-token
+        // cleanup above (delete_token on name collision) reissues on every
+        // new session, so users don't hit expiry mid-session in practice.
+        //
+        // Permissions: still FullAccess (`*`) because the memory and
+        // workspace handlers gate on the admin Permission enum, not on
+        // granular deployment-token permissions. Fine-grained scoping is
+        // tracked as Phase 2 of the security hardening plan.
+        let expires_at = chrono::Utc::now() + chrono::Duration::hours(6);
         let request = CreateDeploymentTokenRequest {
             name: token_name,
             environment_id: None,
             deployment_id: None,
             permissions: Some(vec!["*".to_string()]),
-            expires_at: None,
+            expires_at: Some(expires_at),
         };
 
         let response = self