Skip to content

No rate limiting or request throttling on any api endpoint #527

Description

@itsmiso-ai

Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01

Original recommendation

No rate limiting or request throttling on any api endpoint

Evidence: All route handlers in src/app/api/* process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:

  • /api/groomer/run — costs money per LLM call
  • /api/issues/move — mutates GitHub labels
  • /api/sync — fetches GitHub API data
  • /api/agent-runs — writes to database

The only concurrency guard is the sync lock (src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.


Matched top finding

Evidence: All route handlers in src/app/api/* process requests without any rate limiting, throttling, or concurrency limiting. A compromised agent token or exposed endpoint could trigger unlimited API calls to:

  • /api/groomer/run — costs money per LLM call
  • /api/issues/move — mutates GitHub labels
  • /api/sync — fetches GitHub API data
  • /api/agent-runs — writes to database

The only concurrency guard is the sync lock (src/lib/sync-lock.ts) which prevents overlapping sync runs. No other endpoint has similar protection.


Metadata

Metadata

Assignees

No one assigned

    Labels

    auditAudit, review, or investigation work.priority/p1High priority.status/backlogNot ready for worker pickup yet.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions