You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The /api/scaffold REST endpoint is wired in src/index.ts:63-67 before the OAuthProvider branch. Requests to it go straight to handleRestScaffold in src/rest-scaffold.ts, which validates the bearer token via AUTH_SERVICE but does not call checkRateLimit or reserveQuota/consumeQuota. A quick grep on src/rest-scaffold.ts for checkRateLimit, reserveQuota, or consumeQuota returns zero matches.
Net effect: any authenticated API key holder can call scaffold_create over REST without ever being rate-limited and without consuming credits. That's real unmetered traffic against a paid backend (STACKBILDER), not just a cosmetic gap.
Impact
Cost attribution is broken for REST callers — tenant credit ledgers don't reflect REST usage, so budget alerts, billing, and dashboards under-count for anyone using the CLI path.
The /mcp path enforces both correctly, so this is specifically a REST-surface divergence, not a platform-wide gap.
Proposed fix
handleRestScaffold should mirror the /mcp POST path: resolve auth → checkRateLimit → reserveQuota → call the backend → settleQuota → emit audit. The factoring in gateway.ts:handlePost around the tools/call dispatch is the template.
Not a blocker for #26 (the MCP surface is correctly metered), but real drift. Flagged during the docs pass where I noted the bypass in architecture.md under Rate Limiting.
Summary
The
/api/scaffoldREST endpoint is wired insrc/index.ts:63-67before the OAuthProvider branch. Requests to it go straight tohandleRestScaffoldinsrc/rest-scaffold.ts, which validates the bearer token viaAUTH_SERVICEbut does not callcheckRateLimitorreserveQuota/consumeQuota. A quick grep onsrc/rest-scaffold.tsforcheckRateLimit,reserveQuota, orconsumeQuotareturns zero matches.Net effect: any authenticated API key holder can call
scaffold_createover REST without ever being rate-limited and without consuming credits. That's real unmetered traffic against a paid backend (STACKBILDER), not just a cosmetic gap.Impact
/mcppath enforces both correctly, so this is specifically a REST-surface divergence, not a platform-wide gap.Proposed fix
handleRestScaffoldshould mirror the/mcpPOST path: resolve auth →checkRateLimit→reserveQuota→ call the backend →settleQuota→ emit audit. The factoring ingateway.ts:handlePostaround thetools/calldispatch is the template.Labels
severity:medium— real user-observable impact (unmetered traffic / broken cost attribution), contained blast radius (one endpoint, authenticated-only), not actively exploited today.Context
Not a blocker for #26 (the MCP surface is correctly metered), but real drift. Flagged during the docs pass where I noted the bypass in architecture.md under Rate Limiting.