From 3cfed1ebe3e3f06c2f4f1cd3907b3ae2d21ed1f2 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Thu, 5 Feb 2026 19:21:35 -0600
Subject: [PATCH] fix(SEC-ORCH-19): Validate agentId path parameter as UUID

Add ParseUUIDPipe to getAgentStatus and killAgent endpoints to
reject invalid agentId values with a 400 Bad Request.

This prevents potential injection attacks and ensures type safety
for agent lookups.

Refs #339

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/orchestrator/src/api/agents/agents.controller.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/orchestrator/src/api/agents/agents.controller.ts b/apps/orchestrator/src/api/agents/agents.controller.ts
index 3c0bd52..fb46d7b 100644
--- a/apps/orchestrator/src/api/agents/agents.controller.ts
+++ b/apps/orchestrator/src/api/agents/agents.controller.ts
@@ -11,6 +11,7 @@ import {
   ValidationPipe,
   HttpCode,
   UseGuards,
+  ParseUUIDPipe,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { QueueService } from "../../queue/queue.service";
@@ -133,7 +134,7 @@ export class AgentsController {
    */
   @Get(":agentId/status")
   @Throttle({ status: { limit: 200, ttl: 60000 } })
-  async getAgentStatus(@Param("agentId") agentId: string): Promise<{
+  async getAgentStatus(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{
     agentId: string;
     taskId: string;
     status: string;
@@ -193,7 +194,7 @@ export class AgentsController {
   @Post(":agentId/kill")
   @Throttle({ strict: { limit: 10, ttl: 60000 } })
   @HttpCode(200)
-  async killAgent(@Param("agentId") agentId: string): Promise<{ message: string }> {
+  async killAgent(@Param("agentId", ParseUUIDPipe) agentId: string): Promise<{ message: string }> {
     this.logger.warn(`Received kill request for agent: ${agentId}`);
 
     try {