fix(server): add ConnectSupervisor and RelayStream to SANDBOX_METHODS

The supervisor's ConnectSupervisor and RelayStream RPCs were missing
from the SANDBOX_METHODS exemption list. When OIDC is enabled without
mTLS (disable_tls = true), these RPCs are rejected because the
supervisor does not carry an OIDC Bearer token. This causes sandbox
connect to fail with "supervisor session not connected".

Both RPCs are exclusively called by the sandbox supervisor, matching
the existing SANDBOX_METHODS pattern. They already work in mTLS-only
mode where all requests pass via the TLS handshake.

Fixes #1470

Signed-off-by: Adel Zaalouk <azaalouk@redhat.com>

Author: zanetworker

crates/openshell-server/src/auth/oidc.rs

@@ -51,6 +51,8 @@ const SANDBOX_METHODS: &[&str] = &[
     "/openshell.v1.OpenShell/SubmitPolicyAnalysis",
     "/openshell.sandbox.v1.SandboxService/GetSandboxConfig",
     "/openshell.inference.v1.Inference/GetInferenceBundle",
+    "/openshell.v1.OpenShell/ConnectSupervisor",
+    "/openshell.v1.OpenShell/RelayStream",
 ];
 
 /// Methods that accept either an OIDC Bearer token (CLI users, full scope)
@@ -469,6 +471,10 @@ mod tests {
         assert!(is_sandbox_method(
             "/openshell.inference.v1.Inference/GetInferenceBundle"
         ));
+        assert!(is_sandbox_method(
+            "/openshell.v1.OpenShell/ConnectSupervisor"
+        ));
+        assert!(is_sandbox_method("/openshell.v1.OpenShell/RelayStream"));
     }
 
     #[test]