API Security Audit — 5 fixes from 53-finding automated test suite

2026-04-07

apirouterbudgetproviders

What We Built

Fixes for the most critical findings from a 53-finding automated API security audit (115 tests). Remaining findings tracked as GitHub issues #143-#149.

Fix 1 (#144): Input validation — non-string model types (numeric/array/boolean) no longer cause 500 ISE. Returns clean 400.

Fix 2 (#145): Cost amplification caps — n capped at 5, max_tokens capped at 32768. Negative values rejected. Temperature/top_p clamped to valid ranges.

Fix 3 (#143): RBAC on /v1/providers — developer keys now get 403. Admin/operator scope required.

Fix 4 (#147): Budget reservation increased from $0.001 to $0.05 to reduce overshoot on expensive requests.

Fix 5 (#148): Null content detection — X-BR-Null-Content header set when upstream returns 200 with empty content (Google Gemini Pro).

Lockstep Checklist

[x] API Routes: Input validation + RBAC in existing routes (no new endpoints)
[x] Ship Log: This entry
[ ] TS SDK / Python SDK: No new methods needed (fixes are server-side validation)
[ ] MCP Schemas: N/A