fix(#121): Remediate security issues from ORCH-121 review

Priority Fixes (Required Before Production):

H3: Add rate limiting to webhook endpoint
- Added slowapi library for FastAPI rate limiting
- Implemented per-IP rate limiting (100 req/min) on webhook endpoint
- Added global rate limiting support via slowapi

M4: Add subprocess timeouts to all gates
- Added timeout=300 (5 minutes) to all subprocess.run() calls in gates
- Implemented proper TimeoutExpired exception handling
- Removed dead CalledProcessError handlers (check=False makes them unreachable)

M2: Add input validation on QualityCheckRequest
- Validate files array size (max 1000 files)
- Validate file paths (no path traversal, no null bytes, no absolute paths)
- Validate diff summary size (max 10KB)
- Validate taskId and agentId format (non-empty)

Additional Fixes:

H1: Fix coverage.json path resolution
- Use absolute paths resolved from project root
- Validate path is within project boundaries (prevent path traversal)

Code Review Cleanup:
- Moved imports to module level in quality_orchestrator.py
- Refactored mock detection logic into separate helper methods
- Removed dead subprocess.CalledProcessError exception handlers from all gates

Testing:
- Added comprehensive tests for all security fixes
- All 339 coordinator tests pass
- All 447 orchestrator tests pass
- Followed TDD principles (RED-GREEN-REFACTOR)

Security Impact:
- Prevents webhook DoS attacks via rate limiting
- Prevents hung processes via subprocess timeouts
- Prevents path traversal attacks via input validation
- Prevents malformed input attacks via comprehensive validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/coordinator/tests/gates/test_build_gate.py

@@ -131,3 +131,37 @@ class TestBuildGate:
             assert result.passed is False
             assert "unexpected error" in result.message.lower()
             assert "error" in result.details
+
+    def test_check_uses_timeout(self) -> None:
+        """Test that check() sets a timeout on subprocess.run."""
+        mock_result = MagicMock()
+        mock_result.returncode = 0
+        mock_result.stdout = "Success: no issues found"
+        mock_result.stderr = ""
+
+        with patch("subprocess.run", return_value=mock_result) as mock_run:
+            gate = BuildGate()
+            gate.check()
+
+            # Verify timeout is set
+            mock_run.assert_called_once()
+            call_kwargs = mock_run.call_args[1]
+            assert "timeout" in call_kwargs
+            assert call_kwargs["timeout"] == 300  # 5 minutes
+
+    def test_check_handles_timeout_exception(self) -> None:
+        """Test that check() handles subprocess timeout gracefully."""
+        # Mock subprocess.run to raise TimeoutExpired
+        with patch(
+            "subprocess.run",
+            side_effect=subprocess.TimeoutExpired("mypy", timeout=300),
+        ):
+            gate = BuildGate()
+            result = gate.check()
+
+            # Verify result
+            assert isinstance(result, GateResult)
+            assert result.passed is False
+            # TimeoutExpired message contains "timed out after"
+            assert "timed out" in result.message.lower() or "timeout" in result.message.lower()
+            assert "error" in result.details

apps/coordinator/tests/gates/test_coverage_gate.py

@@ -254,3 +254,64 @@ class TestCoverageGate:
                 assert isinstance(result, GateResult)
                 assert result.passed is True
                 assert result.details["coverage_percent"] == 90.0
+
+    def test_check_uses_timeout(self) -> None:
+        """Test that check() sets a timeout on subprocess.run."""
+        mock_result = MagicMock()
+        mock_result.returncode = 0
+        mock_result.stdout = "TOTAL     100     10    90%"
+        mock_result.stderr = ""
+
+        coverage_data = {"totals": {"percent_covered": 90.0}}
+
+        with patch("subprocess.run", return_value=mock_result) as mock_run:
+            with patch("builtins.open", mock_open(read_data=json.dumps(coverage_data))):
+                with patch("json.load", return_value=coverage_data):
+                    gate = CoverageGate()
+                    gate.check()
+
+                    # Verify timeout is set
+                    mock_run.assert_called_once()
+                    call_kwargs = mock_run.call_args[1]
+                    assert "timeout" in call_kwargs
+                    assert call_kwargs["timeout"] == 300  # 5 minutes
+
+    def test_check_handles_timeout_exception(self) -> None:
+        """Test that check() handles subprocess timeout gracefully."""
+        # Mock subprocess.run to raise TimeoutExpired
+        with patch(
+            "subprocess.run",
+            side_effect=subprocess.TimeoutExpired("pytest", timeout=300),
+        ):
+            gate = CoverageGate()
+            result = gate.check()
+
+            # Verify result
+            assert isinstance(result, GateResult)
+            assert result.passed is False
+            # TimeoutExpired message contains "timed out after"
+            assert "timed out" in result.message.lower() or "timeout" in result.message.lower()
+            assert "error" in result.details
+
+    def test_coverage_file_path_is_absolute(self) -> None:
+        """Test that coverage.json path is resolved as absolute and validated."""
+        from pathlib import Path
+
+        mock_result = MagicMock()
+        mock_result.returncode = 0
+        mock_result.stdout = "TOTAL     100     10    90%"
+        mock_result.stderr = ""
+
+        coverage_data = {"totals": {"percent_covered": 90.0}}
+
+        with patch("subprocess.run", return_value=mock_result):
+            # Mock Path.exists to return True for absolute path check
+            with patch.object(Path, "exists", return_value=True):
+                with patch("builtins.open", mock_open(read_data=json.dumps(coverage_data))):
+                    with patch("json.load", return_value=coverage_data):
+                        gate = CoverageGate()
+                        # Access the internal method to verify it uses absolute paths
+                        coverage_percent = gate._extract_coverage_from_json()
+
+                        # Should successfully extract coverage
+                        assert coverage_percent == 90.0

apps/coordinator/tests/gates/test_lint_gate.py

@@ -150,3 +150,37 @@ class TestLintGate:
             assert result.passed is False
             assert "unexpected error" in result.message.lower()
             assert "error" in result.details
+
+    def test_check_uses_timeout(self) -> None:
+        """Test that check() sets a timeout on subprocess.run."""
+        mock_result = MagicMock()
+        mock_result.returncode = 0
+        mock_result.stdout = "All checks passed!"
+        mock_result.stderr = ""
+
+        with patch("subprocess.run", return_value=mock_result) as mock_run:
+            gate = LintGate()
+            gate.check()
+
+            # Verify timeout is set
+            mock_run.assert_called_once()
+            call_kwargs = mock_run.call_args[1]
+            assert "timeout" in call_kwargs
+            assert call_kwargs["timeout"] == 300  # 5 minutes
+
+    def test_check_handles_timeout_exception(self) -> None:
+        """Test that check() handles subprocess timeout gracefully."""
+        # Mock subprocess.run to raise TimeoutExpired
+        with patch(
+            "subprocess.run",
+            side_effect=subprocess.TimeoutExpired("ruff", timeout=300),
+        ):
+            gate = LintGate()
+            result = gate.check()
+
+            # Verify result
+            assert isinstance(result, GateResult)
+            assert result.passed is False
+            # TimeoutExpired message contains "timed out after"
+            assert "timed out" in result.message.lower() or "timeout" in result.message.lower()
+            assert "error" in result.details

apps/coordinator/tests/gates/test_test_gate.py

@@ -176,3 +176,37 @@ class TestTestGate:
             assert result.passed is False
             assert "unexpected error" in result.message.lower()
             assert "error" in result.details
+
+    def test_check_uses_timeout(self) -> None:
+        """Test that check() sets a timeout on subprocess.run."""
+        mock_result = MagicMock()
+        mock_result.returncode = 0
+        mock_result.stdout = "50 passed in 2.34s"
+        mock_result.stderr = ""
+
+        with patch("subprocess.run", return_value=mock_result) as mock_run:
+            gate = TestGate()
+            gate.check()
+
+            # Verify timeout is set
+            mock_run.assert_called_once()
+            call_kwargs = mock_run.call_args[1]
+            assert "timeout" in call_kwargs
+            assert call_kwargs["timeout"] == 300  # 5 minutes
+
+    def test_check_handles_timeout_exception(self) -> None:
+        """Test that check() handles subprocess timeout gracefully."""
+        # Mock subprocess.run to raise TimeoutExpired
+        with patch(
+            "subprocess.run",
+            side_effect=subprocess.TimeoutExpired("pytest", timeout=300),
+        ):
+            gate = TestGate()
+            result = gate.check()
+
+            # Verify result
+            assert isinstance(result, GateResult)
+            assert result.passed is False
+            # TimeoutExpired message contains "timed out after"
+            assert "timed out" in result.message.lower() or "timeout" in result.message.lower()
+            assert "error" in result.details