feat(worker): add security hardening layer for public service readiness#73
Merged
liplus-lin-lay merged 1 commit intomainfrom Mar 26, 2026
Merged
feat(worker): add security hardening layer for public service readiness#73liplus-lin-lay merged 1 commit intomainfrom
liplus-lin-lay merged 1 commit intomainfrom
Conversation
セキュリティ基盤強化: マルチテナント公開サービス化 (#62) の第一歩として、 3層の防御レイヤーを追加。 1. Bearer Token 認証 — /events, /mcp エンドポイントに MCP_AUTH_TOKEN による認証を追加。 未設定時はスキップ(後方互換)。WebSocket は ?token= クエリパラメータも対応。 2. GitHub IP ホワイトリスト — /webhooks/github は GitHub の IP レンジのみ許可。 api.github.com/meta から取得し Cache API でキャッシュ。フォールバック用ハードコード IP あり。 3. レート制限 — IP ベースのスライディングウィンドウ方式。 webhook: 300req/分、API: 120req/分。 ローカルブリッジ (local-mcp, mcp-server) も WEBHOOK_AUTH_TOKEN 環境変数で Authorization ヘッダーを自動付与するよう対応。 Refs #62 Refs sub #70 Refs sub #72 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #62
セキュリティ基盤強化: マルチテナント公開サービス化の第一歩として3層の防御レイヤーを追加。
Bearer Token 認証、GitHub IP ホワイトリスト、レート制限により DDoS/Billing Attack に対応。
Refs sub #70
認証基盤の土台として Bearer Token 認証を実装。MCP_AUTH_TOKEN 未設定時はスキップで後方互換。
Refs sub #72
GitHub IP ホワイトリスト + レート制限で Billing Attack を防御。