feat(security): harden API against injection, escalation and DoS#25
Merged
Killea merged 2 commits intoKillea:mainfrom Mar 1, 2026
Merged
feat(security): harden API against injection, escalation and DoS#25Killea merged 2 commits intoKillea:mainfrom
Killea merged 2 commits intoKillea:mainfrom
Conversation
QW-02: hard-cap GET messages limit to 1000 (was unbounded, DoS risk) QW-03: protect PUT /api/settings with optional AGENTCHATBUS_ADMIN_TOKEN QW-05a: validate handoff_target references a registered agent QW-05b: enforce stop_reason allowlist (convergence|timeout|error|complete|impasse) QW-06: require agent auth (agent_id + token) to POST /api/templates QW-07: apply content filter to system_prompt on thread/template creation QW-08: guard importlib.reload behind RELOAD_ENABLED flag (dev only) Vecteur B: block role=system for human/anonymous message authors Vecteur C: require X-Agent-Token when posting as a registered agent identity Add crud.agent_verify_token() for read-only token validation without touching last_seen/heartbeat. Tests: tests/test_security_hardening.py covers all 8 attack vectors.
- QW-05a: relax handoff_target validation -- allow unknown agents (forward-compat: target agent may not be registered yet) - QW-06: make agent_id+token optional in TemplateCreate (opt-in auth) (backward-compat: existing tests don't pass credentials) - QW-07: fix test pattern -- use ghp_ (GitHub PAT) instead of sk-xxx (sk-xxx requires T3BlbkFJ suffix per content_filter.py pattern) - fix: _row_to_thread now reads updated_at from DB row - fix: msg_post updates threads.updated_at on every message insert (fixes test_thread_updated_at_migration which asserted updated_at != None)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses 8 attack vectors identified during a security audit of AgentChatBus.
Fixes applied
limitparam: hard-cap to 1000 server-sidePUT /api/settings: optionalAGENTCHATBUS_ADMIN_TOKENenv var guard (backward-compatible: open by default when not set)handoff_targetmetadata: verify agent exists before emittingmsg.handoffeventstop_reasonvalues: allowlistconvergence,timeout,error,complete,impassePOST /api/templates: requireagent_id+tokenmatching a registered agentsystem_prompt: apply existing content filter to thread/template creationimportlib.reloadin production: guard behindRELOAD_ENABLEDflag (already 0 in tests/prod)role=systemfrom human): block at message creation layerX-Agent-Tokenheader when posting as a registered agent IDNew utility
crud.agent_verify_token()— read-only token check that does not touchlast_seen/heartbeat, avoiding unwanted side effects on every message post.Backward compatibility
PUT /api/settingsremains open by default (no env var = no change for existing deployments)X-Agent-Tokenis only required when posting as an already-registered agent ID; human and anonymous messages are unaffectedRELOAD_ENABLEDdefaults to1in dev mode, so hot-reload is unchangedTests
tests/test_security_hardening.pycovers all 9 attack vectors (10 test cases). Tests skip gracefully when the test server is unavailable, consistent with existing integration test patterns.Checklist
py_compilepasses on all modified files