security(runner): reject direct AG-UI connections that bypass backend proxy #754
Description
Problem
The runner pod exposes its AG-UI endpoint on port 8001 with no access control. Anyone who can reach the pod (in-cluster, or via port-forward) can:
- Send prompts and consume the response stream
- Execute arbitrary work in the session's context
- Do so without the frontend or backend being aware
The runner doesn't validate that requests came through the backend proxy. There's no shared event bus — AG-UI is request/response SSE, so whoever makes the POST gets the exclusive stream. No fan-out to other listeners.
Impact
- Work can happen "off-camera" — the UI shows nothing
- No audit trail through the backend
- Potential security concern in multi-tenant clusters
Proposed Solution
The runner should validate that AG-UI requests came through the backend proxy. Options:
- Require a proxy header/token that only the backend adds (e.g.,
X-Ambient-Internal-Token) - NetworkPolicy restricting port 8001 to only the backend pod
- mTLS between backend and runner
Option 1 is simplest. The backend already has the runner token — it could include it as a header, and the runner validates it.
Context
Discovered when a direct curl to the runner pod via port-forward delivered a prompt and consumed the entire AG-UI stream, leaving the frontend with no visibility into the session's work.