sec(server): no gRPC auth middleware when allow_unauthenticated is enabled

[cluster2600]

Summary

The gRPC service implementation (OpenShellService in crates/openshell-server/src/grpc.rs) has no auth interceptor or middleware. All RPCs — create_sandbox, delete_sandbox, exec_sandbox, create_ssh_session, etc. — are accessible to any client that completes the TLS handshake.

When allow_unauthenticated=true (set via --disable-gateway-auth), mTLS client certs become optional, meaning all gRPC RPCs are completely unauthenticated.

The test at crates/openshell-server/tests/edge_tunnel_auth.rs (line 21–26) explicitly documents this gap: "TLS handshake succeeds, but in production the auth middleware (not yet implemented) would reject."

Impact

• Severity: High
• Any client that can reach the server port can create sandboxes, execute commands, delete resources, and access provider credentials.
• This mode is intended for Cloudflare Tunnel deployments where edge authentication is handled externally, but the application itself currently has no fallback.

Proposed Fix

Add a tonic interceptor that validates either:

1. The TLS client certificate peer identity (when mTLS is enabled), or
2. The cf-access-jwt-assertion header (when allow_unauthenticated=true)

on every inbound RPC. Reject requests that fail both checks.

At minimum, emit a startup warning when --disable-gateway-auth is used.

[johntmyers]

This is an intended byproduct of "single player mode." We are not designed for multi-tenancy yet. We have already captured this as a requirement as we move towards multi-tenancy. Closing as we will address this in that implementation.