Governance endpoints: cap unbounded ?limit on lineage and sampling-audit

2026-05-07

securityapigovernance

What We Built

GET /v1/governance/lineage and GET /v1/intelligence/sampling-audit accepted unbounded ?limit. limit=999999999 would force serialization of the entire ring buffer. Capped at 500.

Why It Matters

DoS / memory-exhaustion vector. Anyone with a valid token could request limit=10^9 and cost megabytes per call.

How It Works

Math.min(Number(c.req.query('limit') ?? 50) || 50, 500). Four regression tests: caps at 500, defaults preserved at 50, both endpoints.

Lockstep Checklist

[x] No API route changes (middleware/internal — lockstep N/A)
[x] No SDK changes
[x] No MCP tool changes
[x] Regression test included (test-first invariant per /quality-fleet protocol)
[x] Linked to /quality-fleet R1 dashboard at .quality/dashboard.md

Provenance

Auto-found by /quality-fleet R1 (2026-05-07) scanner round, fixed in fix-agent batch under "go for all of it" autonomy grant. PR #210 merged to main as commit 553d83174. Finding(s) tracked at .quality/findings.jsonl (entries: "2e9d4f7c1b3a", "8f1a3e6c9d47"). Production-deployed via ECS task-def revision 732 series.