refactor(supervisor-network): relocate token_grant and spiffe_endpoint

Upstream's SPIFFE-backed token grant feature landed in
crates/openshell-sandbox/src/. After the supervisor split, the L7
enforcement code in supervisor-network calls into token_grant, which
would require supervisor-network to depend back on sandbox.

Move token_grant.rs and spiffe_endpoint.rs into supervisor-network
where the only callers live, add the reqwest and spiffe deps to
supervisor-network's Cargo.toml, and drop them from sandbox.

Also fix two stale `openshell_core::proto::` self-references in
openshell-core (a pre-existing breakage that surfaced once the rest of
the merge compiled).

Signed-off-by: Radoslav Hubenov <rrhubenov@gmail.com>

Author: rrhubenov

crates/openshell-core/src/grpc_client.rs

@@ -717,7 +717,7 @@ pub struct ProviderEnvironmentResult {
     pub environment: HashMap<String, String>,
     pub provider_env_revision: u64,
     pub credential_expires_at_ms: HashMap<String, i64>,
-    pub dynamic_credentials: HashMap<String, openshell_core::proto::ProviderProfileCredential>,
+    pub dynamic_credentials: HashMap<String, crate::proto::ProviderProfileCredential>,
 }
 
 impl CachedOpenShellClient {

crates/openshell-core/src/provider_credentials.rs

@@ -13,7 +13,7 @@ const MAX_RETAINED_CREDENTIAL_GENERATIONS: usize = 8;
 pub struct ProviderCredentialSnapshot {
     pub revision: u64,
     pub child_env: HashMap<String, String>,
-    pub dynamic_credentials: HashMap<String, openshell_core::proto::ProviderProfileCredential>,
+    pub dynamic_credentials: HashMap<String, crate::proto::ProviderProfileCredential>,
 }
 
 #[derive(Debug)]
@@ -34,7 +34,7 @@ impl ProviderCredentialState {
         revision: u64,
         env: HashMap<String, String>,
         credential_expires_at_ms: HashMap<String, i64>,
-        dynamic_credentials: HashMap<String, openshell_core::proto::ProviderProfileCredential>,
+        dynamic_credentials: HashMap<String, crate::proto::ProviderProfileCredential>,
     ) -> Self {
         let (child_env, generation_resolver, current_resolver) =
             SecretResolver::from_provider_env_for_current_revision(
@@ -82,7 +82,7 @@ impl ProviderCredentialState {
         revision: u64,
         env: HashMap<String, String>,
         credential_expires_at_ms: HashMap<String, i64>,
-        dynamic_credentials: HashMap<String, openshell_core::proto::ProviderProfileCredential>,
+        dynamic_credentials: HashMap<String, crate::proto::ProviderProfileCredential>,
     ) -> usize {
         let (child_env, generation_resolver, current_resolver) =
             SecretResolver::from_provider_env_for_current_revision(

crates/openshell-supervisor-network/Cargo.toml

@@ -26,13 +26,15 @@ ipnet = "2"
 miette = { workspace = true }
 rcgen = { workspace = true }
 regorus = { version = "0.9", default-features = false, features = ["std", "arc", "glob", "yaml"] }
+reqwest = { workspace = true }
 rustls = { workspace = true }
 rustls-pemfile = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_yml = { workspace = true }
 sha1 = "0.10"
 sha2 = { workspace = true }
+spiffe = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true }
 tokio-rustls = { workspace = true }

crates/openshell-supervisor-network/src/l7/token_grant_injection.rs

@@ -11,7 +11,7 @@ use miette::{Result, miette};
 use openshell_core::proto::{ProviderCredentialTokenGrant, ProviderProfileCredential};
 use openshell_ocsf::{
     ActionId, ActivityId, DispositionId, Endpoint, HttpActivityBuilder, HttpRequest, SeverityId,
-    StatusId, Url as OcsfUrl, ocsf_emit,
+    StatusId, Url as OcsfUrl, ctx::ctx as ocsf_ctx, ocsf_emit,
 };
 use tracing::warn;
 
@@ -97,7 +97,7 @@ pub async fn inject_if_needed(req: L7Request, ctx: &L7EvalContext) -> Result<L7R
                     inject_token_grant_header(&req.raw_header, &cred, &access_token)?;
                 let provider_key = ocsf_message_field(&provider_key);
                 ocsf_emit!(
-                    HttpActivityBuilder::new(crate::ocsf_ctx())
+                    HttpActivityBuilder::new(ocsf_ctx())
                         .activity(ActivityId::Other)
                         .action(ActionId::Allowed)
                         .disposition(DispositionId::Allowed)
@@ -131,7 +131,7 @@ pub async fn inject_if_needed(req: L7Request, ctx: &L7EvalContext) -> Result<L7R
                 );
                 let provider_key = ocsf_message_field(&provider_key);
                 ocsf_emit!(
-                    HttpActivityBuilder::new(crate::ocsf_ctx())
+                    HttpActivityBuilder::new(ocsf_ctx())
                         .activity(ActivityId::Fail)
                         .action(ActionId::Denied)
                         .disposition(DispositionId::Blocked)

crates/openshell-supervisor-network/src/lib.rs

@@ -16,3 +16,5 @@ pub mod policy_local;
 pub mod procfs;
 pub mod proxy;
 pub mod run;
+mod spiffe_endpoint;
+mod token_grant;