# Issue #279: Validate orchestrator URL configuration (SSRF risk)

## Objective

Prevent SSRF vulnerability by validating orchestrator URL from environment variables. Ensure URL format is valid, protocol is whitelisted (http/https), and hostname is not malicious.

## Security Impact

- SSRF vulnerability - attacker could point URL to internal services
- Data exfiltration - agent spawn requests sent to attacker-controlled server
- All agent operations compromised

## Location

`apps/api/src/federation/federation-agent.service.ts:43-56`

## Approach

1. Create URL validation utility function
2. Whitelist protocols (http, https only)
3. Validate hostname (reject localhost, private IPs, loopback)
4. Add structured logging for validation failures via audit service
5. Write comprehensive tests

## Implementation Plan

- [ ] Write tests for URL validation (RED)
- [ ] Implement URL validation logic (GREEN)
- [ ] Integrate validation into FederationAgentService constructor
- [ ] Add audit logging for invalid URLs
- [ ] Refactor for clarity
- [ ] Run quality gates

## Testing

- Valid URLs (http://example.com:3001, https://orchestrator.example.com)
- Invalid protocols (ftp://, file://, javascript:)
- Internal/private IPs (127.0.0.1, 192.168.x.x, 10.x.x.x)
- Localhost variants (localhost, 0.0.0.0)
- Malformed URLs

## Notes

- Use Node's built-in URL class for parsing
- Consider environment-specific allowlists (dev can use localhost)
- Add security event logging via FederationAuditService