Security: protect compute and agent endpoints with auth and abuse controls

[MaxGhenis]

Summary

policyengine-api-v2-alpha exposes public, compute-heavy endpoints without authentication or rate limiting.

Severity

High

Impact

Unauthenticated callers can create database rows and trigger expensive Modal jobs or LLM-backed runs on demand. This is a direct cost-exhaustion and abuse surface.

Affected code

• src/policyengine_api/main.py:61-88
• src/policyengine_api/api/analysis.py:563-618
• src/policyengine_api/api/household.py:828-1095
• src/policyengine_api/api/outputs.py:85-137
• src/policyengine_api/api/change_aggregates.py:86-144
• src/policyengine_api/api/agent.py:105-230
• src/policyengine_api/agent_sandbox.py:424-446,515-541

Details

The app mounts routers with no auth middleware, and endpoints such as:

• POST /analysis/economic-impact
• POST /household/calculate
• POST /household/impact
• POST /outputs
• POST /change-aggregates
• POST /agent/run

create rows and/or trigger background compute. agent_sandbox.py shows the agent path reaching Anthropic-backed execution with Modal secrets attached.

Expected behavior

These endpoints should require authenticated callers and should have abuse controls.

Suggested remediation

• Add authentication/authorization to all compute-triggering routes
• Add rate limiting and quota enforcement per caller
• Consider separating public metadata endpoints from privileged compute endpoints
• Add integration tests that assert anonymous requests are rejected