feat(security): enforce E2B sandbox, fail-closed defaults [EPIC 0.2]

Closes #4, closes #5, closes #6, closes #7, closes #8

Author: Deepfreezechill

.gitignore

@@ -77,3 +77,4 @@ frontend/node_modules
 # Coverage
 .coverage
 htmlcov/
+coverage.xml

openspace/.env.example

@@ -40,9 +40,15 @@ OPENSPACE_API_KEY=sk_xxxxxxxxxxxxxxxx
 # EMBEDDING_API_KEY=
 # EMBEDDING_MODEL= "openai/text-embedding-3-small"
 
-# ---- E2B Sandbox (Optional) ----
-# Required only if sandbox mode is enabled in security config.
-# E2B_API_KEY=
+# ---- E2B Sandbox (Required for MCP stdio servers) ----
+# E2B sandbox is ENFORCED by default for all stdio-based MCP servers.
+# You MUST provide an API key for E2B to execute skills securely.
+# Get your API key from https://e2b.dev/
+E2B_API_KEY=
+
+# ---- Sandbox Configuration ----
+# Sandbox is mandatory. To opt out (development only, NOT recommended):
+# OPENSPACE_ALLOW_UNSANDBOXED=1
 
 # ---- Local Server (Optional) ----
 # Override the default local server URL (default: http://127.0.0.1:5000)

openspace/config/README.md

@@ -99,7 +99,7 @@ Layered system — later files override earlier ones:
 |---------|-----------|-------------|
 | `shell` | `mode`, `timeout`, `conda_env`, `working_dir` | `"local"` (default) or `"server"`, command timeout (default: `60`s) |
 | `gui` | `mode`, `timeout`, `driver_type`, `screenshot_on_error` | Local/server mode, automation driver (default: `pyautogui`) |
-| `mcp` | `timeout`, `sandbox`, `eager_sessions` | Request timeout (`30`s), E2B sandbox, lazy/eager server init |
+| `mcp` | `timeout`, `sandbox`, `eager_sessions` | Request timeout (`30`s), E2B sandbox (**enforced by default**), lazy/eager server init |
 | `tool_search` | `search_mode`, `max_tools`, `enable_llm_filter` | `"hybrid"` (semantic + LLM), max tools to return (`40`), embedding cache |
 | `tool_quality` | `enabled`, `enable_persistence`, `evolve_interval` | Quality tracking, self-evolution every N calls (default: `5`) |
 | `skills` | `enabled`, `skill_dirs`, `max_select` | Directories to scan, max skills injected per task (default: `2`) |
@@ -110,6 +110,26 @@ Layered system — later files override earlier ones:
 |-------|-------------|---------|
 | `allow_shell_commands` | Enable shell execution | `true` |
 | `blocked_commands` | Platform-specific blacklists (common/linux/darwin/windows) | `rm -rf`, `shutdown`, `dd`, etc. |
-| `sandbox_enabled` | Enable sandboxing for all operations | `false` |
+| `sandbox_enabled` | Enable sandboxing for all operations | **`true`** |
 | Per-backend overrides | Shell, MCP, GUI, Web each have independent security policies | Inherit global |
 
+### E2B Sandbox Configuration
+
+Sandbox execution is **enforced by default** for all stdio-based MCP servers. This prevents
+untrusted skill code from executing directly on the host.
+
+| Setting | Source | Description |
+|---------|--------|-------------|
+| `E2B_API_KEY` | **Environment variable** (required) | API key from [e2b.dev](https://e2b.dev). Never passed via config. |
+| `mcp.sandbox` | `config_grounding.json` | Default: `true`. Controls sandbox enforcement for MCP backend. |
+| `sandbox_enabled` | `config_security.json` | Default: `true`. Global and per-backend sandbox policy. |
+| `sandbox_template_id` | Config only | E2B sandbox template (default: `"base"`). |
+| `timeout` | Config only | Sandbox command timeout in seconds (default: `600`). |
+| `OPENSPACE_ALLOW_UNSANDBOXED` | Environment variable | Set to `1` to allow unsandboxed execution (dev only, **NOT recommended**). |
+
+**Fail-closed behavior:**
+- Missing `E2B_API_KEY` → startup fails (no silent fallback)
+- Missing E2B SDK → startup fails with install instructions
+- Invalid config → startup fails (no default-config fallback)
+- Sandbox start failure → execution aborted (no downgrade to direct execution)
+

openspace/config/config_grounding.json

@@ -14,7 +14,7 @@
     "timeout": 30,
     "max_retries": 3,
     "retry_interval": 2.0,
-    "sandbox": false,
+    "sandbox": true,
     "auto_initialize": true,
     "eager_sessions": false,
     "sse_read_timeout": 300.0,

openspace/config/config_security.json

@@ -10,7 +10,7 @@
         "darwin": ["diskutil", "dd", "pfctl", "launchctl", "killall"],
         "windows": ["del", "format", "rd", "rmdir", "/s", "/q", "taskkill", "/f"]
       },
-      "sandbox_enabled": false
+      "sandbox_enabled": true
     },
     "backend": {
       "shell": {
@@ -54,10 +54,10 @@
             "wmic"
           ]
         },
-        "sandbox_enabled": false
+        "sandbox_enabled": true
       },
       "mcp": {
-        "sandbox_enabled": false
+        "sandbox_enabled": true
       },
       "web": {
         "allow_network_access": true,

openspace/config/grounding.py

@@ -105,7 +105,7 @@ class WebConfig(BackendConfig):
 
 class MCPConfig(BackendConfig):
     """MCP backend configuration"""
-    sandbox: bool = Field(False, description="Whether to enable sandbox")
+    sandbox: bool = Field(True, description="Whether to enable sandbox (enforced by default for security)")
     auto_initialize: bool = Field(True, description="Whether to auto initialize")
     eager_sessions: bool = Field(False, description="Whether to eagerly create sessions for all servers on initialization")
     retry_interval: float = Field(2.0, ge=0.1, le=60.0, description="Wait time between retries in seconds")

openspace/config/loader.py

@@ -33,12 +33,24 @@ def _deep_merge_dict(base: dict, update: dict) -> dict:
             result[key] = value
     return result
 
-def _load_json_file(path: Path) -> Dict[str, Any]:
+def _load_json_file(path: Path, *, critical: bool = False) -> Dict[str, Any]:
     """Load single JSON configuration file.
     
-    This function wraps the generic load_json_file and adds global configuration specific error handling and logging.
+    This function wraps the generic load_json_file and adds global
+    configuration specific error handling and logging.
+    
+    Args:
+        path: Path to JSON file.
+        critical: If True, raise on parse errors instead of returning {}.
+                  Use for security-critical config files where silent
+                  fallback to empty dict could weaken security posture.
     """
     if not path.exists():
+        if critical:
+            raise FileNotFoundError(
+                f"Critical configuration file missing: {path}. "
+                "Cannot start with potentially insecure defaults."
+            )
         logger.debug(f"Configuration file does not exist, skipping: {path}")
         return {}
 
@@ -47,18 +59,33 @@ def _load_json_file(path: Path) -> Dict[str, Any]:
         logger.info(f"Loaded configuration file: {path}")
         return data
     except Exception as e:
+        if critical:
+            raise RuntimeError(
+                f"Failed to parse critical configuration file {path}: {e}. "
+                "Refusing to start with potentially insecure defaults."
+            ) from e
         logger.warning(f"Failed to load configuration file {path}: {e}")
         return {}
 
-def _load_multiple_files(paths: Iterable[Path]) -> Dict[str, Any]:
-    """Load configuration from multiple files"""
+def _load_multiple_files(paths: Iterable[Path], critical_files: frozenset[str] = frozenset()) -> Dict[str, Any]:
+    """Load configuration from multiple files.
+    
+    Args:
+        paths: Config file paths to load and merge.
+        critical_files: Filenames (not full paths) that must not fail silently.
+    """
     merged = {}
     for path in paths:
-        data = _load_json_file(path)
+        is_critical = path.name in critical_files
+        data = _load_json_file(path, critical=is_critical)
         if data:
             merged = _deep_merge_dict(merged, data)
     return merged
 
+# Security config must not fail silently — malformed security config
+# could silently disable sandbox enforcement.
+_CRITICAL_CONFIG_FILES = frozenset({CONFIG_SECURITY})
+
 def load_config(*config_paths: Union[str, Path]) -> GroundingConfig:
     """
     Load configuration files
@@ -76,7 +103,9 @@ def load_config(*config_paths: Union[str, Path]) -> GroundingConfig:
             ]
 
         # Load and merge configuration
-        raw_data = _load_multiple_files(paths)
+        # Security config is marked critical — parse errors raise instead of
+        # silently falling back to defaults (which could disable sandbox).
+        raw_data = _load_multiple_files(paths, critical_files=_CRITICAL_CONFIG_FILES)
 
         # Load MCP configuration (separate processing)
         # Check if mcpServers already provided in merged custom configs
@@ -98,11 +127,17 @@ def load_config(*config_paths: Union[str, Path]) -> GroundingConfig:
                 logger.debug(f"Loaded MCP servers from default config_mcp.json ({len(raw_data['mcp']['servers'])} servers)")
 
         # Validate and create configuration object
+        # Fail-closed: invalid config raises instead of silently falling back
+        # to defaults (which could disable sandbox enforcement)
         try:
             _config = GroundingConfig.model_validate(raw_data)
         except Exception as e:
-            logger.error(f"Validation failed, using default configuration: {e}")
-            _config = GroundingConfig()
+            logger.error(f"Configuration validation failed: {e}")
+            raise RuntimeError(
+                f"GroundingConfig validation failed — refusing to start with "
+                f"potentially insecure defaults. Fix the config or remove it "
+                f"to use secure defaults. Error: {e}"
+            ) from e
 
         # Adjust log level according to configuration
         if _config.debug:

openspace/grounding/backends/mcp/client.py

@@ -29,7 +29,7 @@ class MCPClient:
     def __init__(
         self,
         config: str | dict[str, Any] | None = None,
-        sandbox: bool = False,
+        sandbox: bool = True,
         sandbox_options: SandboxOptions | None = None,
         timeout: float = 30.0,
         sse_read_timeout: float = 300.0,
@@ -94,7 +94,7 @@ def _get_mcp_servers(self) -> dict[str, Any]:
     def from_dict(
         cls,
         config: dict[str, Any],
-        sandbox: bool = False,
+        sandbox: bool = True,
         sandbox_options: SandboxOptions | None = None,
         timeout: float = 30.0,
         sse_read_timeout: float = 300.0,
@@ -118,7 +118,7 @@ def from_dict(
 
     @classmethod
     def from_config_file(
-        cls, filepath: str, sandbox: bool = False, sandbox_options: SandboxOptions | None = None,
+        cls, filepath: str, sandbox: bool = True, sandbox_options: SandboxOptions | None = None,
         timeout: float = 30.0, sse_read_timeout: float = 300.0,
         max_retries: int = 3, retry_interval: float = 2.0,
     ) -> "MCPClient":

openspace/grounding/backends/mcp/config.py

@@ -2,8 +2,12 @@
 Configuration loader for MCP session.
 
 This module provides functionality to load MCP configuration from JSON files.
+
+Security: Sandbox is enforced by default for all stdio-based MCP servers.
+Unsandboxed execution requires explicit OPENSPACE_ALLOW_UNSANDBOXED=1 env var.
 """
 
+import os
 from typing import Any, Optional
 
 from openspace.grounding.core.types import SandboxOptions
@@ -26,10 +30,39 @@
     E2BSandbox = None
     E2B_AVAILABLE = False
 
+
+# Trusted sandbox config keys that may be sourced from config/env
+_TRUSTED_SANDBOX_KEYS = frozenset({
+    "timeout", "sse_read_timeout", "supergateway_command", "port",
+    "sandbox_template_id",
+})
+
+
+def _build_trusted_sandbox_options(
+    caller_options: SandboxOptions | None,
+    default_timeout: float,
+    default_sse_timeout: float,
+) -> dict[str, Any]:
+    """Build sandbox options from trusted sources only.
+
+    Strips caller-supplied api_key (must come from env E2B_API_KEY).
+    Only allows known config keys through; ignores anything else.
+    """
+    base: dict[str, Any] = {
+        "timeout": default_timeout,
+        "sse_read_timeout": default_sse_timeout,
+    }
+    if caller_options:
+        for key in _TRUSTED_SANDBOX_KEYS:
+            if key in caller_options:
+                base[key] = caller_options[key]
+    return base
+
+
 async def create_connector_from_config(
     server_config: dict[str, Any],
     server_name: str = "unknown",
-    sandbox: bool = False,
+    sandbox: bool = True,
     sandbox_options: SandboxOptions | None = None,
     timeout: float = 30.0,
     sse_read_timeout: float = 300.0,
@@ -40,10 +73,15 @@ async def create_connector_from_config(
 ) -> MCPBaseConnector:
     """Create a connector based on server configuration.
     
+    For stdio-based servers, sandbox is ENFORCED. Unsandboxed stdio execution
+    is denied by default. Set OPENSPACE_ALLOW_UNSANDBOXED=1 to explicitly
+    opt out (development/testing only — NOT recommended for production).
+    
     Args:
         server_config: The server configuration section
         server_name: Name of the MCP server (for display purposes)
         sandbox: Whether to use sandboxed execution mode for running MCP servers.
+                 Defaults to True (enforced).
         sandbox_options: Optional sandbox configuration options.
         timeout: Timeout for operations in seconds (default: 30.0)
         sse_read_timeout: SSE read timeout in seconds (default: 300.0)
@@ -56,13 +94,40 @@ async def create_connector_from_config(
         A configured connector instance
         
     Raises:
-        RuntimeError: If dependencies are not installed and user declines installation
+        RuntimeError: If sandbox is required but not available, or if
+            dependencies are not installed and user declines installation
     """
 
     # Get original command and args from config
     original_command = get_config_value(server_config, "command")
     original_args = get_config_value(server_config, "args", [])
 
+    # --- Sandbox enforcement BEFORE any host-side operations ---
+    # Reject unsandboxed stdio early, before ensure_dependencies runs
+    # npm/pip install on the host. This prevents a malicious server config
+    # from triggering host-side package installs before being denied.
+    if is_stdio_server(server_config) and not sandbox:
+        allow_unsandboxed = os.environ.get("OPENSPACE_ALLOW_UNSANDBOXED", "").strip()
+        if allow_unsandboxed != "1":
+            raise RuntimeError(
+                f"Unsandboxed stdio execution denied for server '{server_name}'. "
+                "Sandbox is required for all stdio-based MCP servers. "
+                "Set OPENSPACE_ALLOW_UNSANDBOXED=1 to override (NOT recommended)."
+            )
+        import logging
+        logging.getLogger(__name__).warning(
+            "SECURITY: Running server '%s' WITHOUT sandbox (OPENSPACE_ALLOW_UNSANDBOXED=1). "
+            "This is NOT recommended for production use.",
+            server_name,
+        )
+
+    if is_stdio_server(server_config) and sandbox and not E2B_AVAILABLE:
+        raise ImportError(
+            "E2B sandbox support not available. Please install e2b-code-interpreter: "
+            "'pip install e2b-code-interpreter'"
+        )
+
+    # --- Host-side operations (only after sandbox enforcement passes) ---
     # Check and install dependencies if needed (only for stdio servers)
     if is_stdio_server(server_config) and check_dependencies:
         # Use provided installer or get global instance
@@ -73,27 +138,23 @@ async def create_connector_from_config(
         # Ensure dependencies are installed (using original command/args)
         await installer.ensure_dependencies(server_name, original_command, original_args)
 
-    # Stdio connector (command-based)
+    # Stdio connector — unsandboxed (only reachable with explicit opt-out)
     if is_stdio_server(server_config) and not sandbox:
         return StdioConnector(
             command=get_config_value(server_config, "command"),
             args=get_config_value(server_config, "args"),
             env=get_config_value(server_config, "env", None),
         )
 
-    # Sandboxed connector
-    elif is_stdio_server(server_config) and sandbox:
-        if not E2B_AVAILABLE:
-            raise ImportError(
-                "E2B sandbox support not available. Please install e2b-code-interpreter: "
-                "'pip install e2b-code-interpreter'"
-            )
-        
-        # Create E2B sandbox instance
-        _sandbox_options = sandbox_options or {}
+    # Sandboxed connector (E2B_AVAILABLE already verified above)
+    elif is_stdio_server(server_config):
+        # Build sandbox options from trusted config/env only (never user input)
+        _sandbox_options = _build_trusted_sandbox_options(
+            sandbox_options, timeout, sse_read_timeout
+        )
         e2b_sandbox = E2BSandbox(_sandbox_options)
 
-        # Extract timeout values from sandbox_options or use defaults
+        # Extract timeout values from trusted options
         connector_timeout = _sandbox_options.get("timeout", timeout)
         connector_sse_timeout = _sandbox_options.get("sse_read_timeout", sse_read_timeout)
 

openspace/grounding/backends/mcp/provider.py

@@ -39,7 +39,7 @@ def __init__(self, config: Dict | None = None, installer: Optional[MCPInstallerM
         super().__init__(BackendType.MCP, config)
 
         # Extract MCP-specific configuration
-        sandbox = get_config_value(config, "sandbox", False)
+        sandbox = get_config_value(config, "sandbox", True)
         timeout = get_config_value(config, "timeout", 30)
         sse_read_timeout = get_config_value(config, "sse_read_timeout", 300.0)
         max_retries = get_config_value(config, "max_retries", 3)