diff --git a/crates/openshell-sandbox/src/ssh.rs b/crates/openshell-sandbox/src/ssh.rs
index 4b2cd1572..9a12efdde 100644
--- a/crates/openshell-sandbox/src/ssh.rs
+++ b/crates/openshell-sandbox/src/ssh.rs
@@ -694,6 +694,19 @@ fn apply_child_env(
     for (key, value) in provider_env {
         cmd.env(key, value);
     }
+
+    // Pass through infrastructure env vars set by the compute driver.
+    // These point to inference.local (the sandbox proxy endpoint) and are
+    // not user secrets — they must be readable as URLs by child processes.
+    for key in [
+        "ANTHROPIC_BASE_URL",
+        "OPENAI_BASE_URL",
+        "CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS",
+    ] {
+        if let Ok(val) = std::env::var(key) {
+            cmd.env(key, val);
+        }
+    }
 }
 
 #[allow(clippy::too_many_arguments)]
diff --git a/crates/openshell-server/src/auth/oidc.rs b/crates/openshell-server/src/auth/oidc.rs
index 8af6804b8..74cb0611c 100644
--- a/crates/openshell-server/src/auth/oidc.rs
+++ b/crates/openshell-server/src/auth/oidc.rs
@@ -33,6 +33,8 @@ pub const AUTH_SOURCE_SANDBOX_SECRET: &str = "sandbox-secret";
 /// Truly unauthenticated methods — health probes and infrastructure.
 const UNAUTHENTICATED_METHODS: &[&str] = &[
     "/openshell.v1.OpenShell/Health",
+    "/openshell.v1.OpenShell/ConnectSupervisor",
+    "/openshell.v1.OpenShell/RelayStream",
     "/openshell.inference.v1.Inference/Health",
 ];