Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
No rate limiting or request throttling on any api endpoint
Evidence: All route handlers in src/app/api/* process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:
/api/groomer/run — costs money per LLM call
/api/issues/move — mutates GitHub labels
/api/sync — fetches GitHub API data
/api/agent-runs — writes to database
The only concurrency guard is the sync lock (src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.
Matched top finding
Evidence: All route handlers in src/app/api/* process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:
/api/groomer/run — costs money per LLM call
/api/issues/move — mutates GitHub labels
/api/sync — fetches GitHub API data
/api/agent-runs — writes to database
The only concurrency guard is the sync lock (src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.
Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01
Original recommendation
No rate limiting or request throttling on any api endpoint
Evidence: All route handlers in
src/app/api/*process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:/api/groomer/run— costs money per LLM call/api/issues/move— mutates GitHub labels/api/sync— fetches GitHub API data/api/agent-runs— writes to databaseThe only concurrency guard is the sync lock (
src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.Matched top finding
Evidence: All route handlers in
src/app/api/*process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:/api/groomer/run— costs money per LLM call/api/issues/move— mutates GitHub labels/api/sync— fetches GitHub API data/api/agent-runs— writes to databaseThe only concurrency guard is the sync lock (
src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.