Health: 60/100 | Confidence: 80/100
PR #882 adds TEE confidential passthrough with solid Zod schema validation and fail-closed driver checking, but it critically lacks authorization gating and uses raw Error instead of structured errors. Any authenticated user can provision expensive TEE sandboxes, and raw Error throws will likely surface as 500s instead of the expected 400 CONFIG_ERROR. Remediate the auth gate and switch to ConfigError before merge. Unit tests should assert on error type, not message strings.
File: products/sandbox/api/src/routes/sandboxes.ts
The PR introduces confidential (TEE) sandbox passthrough without any authorization, tier, or quota check. Any authenticated user can provision a TEE-backed sandbox as long as they set driver.type to 'tangle', bypassing billing and capacity controls.
Blast radius: Subscription bypass, TEE capacity exhaustion, financial loss, potential DoS for paying customers.
File: products/sandbox/api/src/routes/sandboxes.ts
toOrchestratorConfig throws raw Error objects for confidential validation failures. The codebase uses typed errors (ForbiddenError, NotFoundError, DriverRoutingError) and the integration test expects HTTP 400 with code 'CONFIG_ERROR'. Raw Error bypasses the structured serializer and will likely produce a 500 response, breaking the API contract.
Blast radius: Broken HTTP contract, misleading 500s for client errors, bypass of existing error metrics/filtering.
File: products/sandbox/api/tests/sandboxes-config.test.ts
Unit tests for confidential rejection assert on regex-matched error message strings rather than the error class or code. This is brittle and will break if the message text is reworded.
Blast radius: Fragile tests, maintenance burden.