Harden public API write and compute routes by MaxGhenis · Pull Request #224 · PolicyEngine/policyengine-api-v2-alpha

MaxGhenis · 2026-04-12T16:24:49Z

Summary

require the shared expensive-endpoint guard on public policy, dynamic, aggregate, household, and agent write routes
protect additional expensive analysis POST routes and restrict CORS to a configured allowlist
remove anonymous database access from generated RLS policies and add security regression coverage

uv run pytest tests/test_outputs.py tests/test_change_aggregates.py tests/test_security.py -q
uv run ruff check src/policyengine_api/security.py src/policyengine_api/config/settings.py src/policyengine_api/main.py src/policyengine_api/api/analysis.py src/policyengine_api/api/outputs.py src/policyengine_api/api/change_aggregates.py src/policyengine_api/api/agent.py src/policyengine_api/api/policies.py src/policyengine_api/api/dynamics.py scripts/init.py tests/test_security.py

MaxGhenis force-pushed the codex/security-hardening-audit-v2 branch 7 times, most recently from 8520734 to 8f08795 Compare April 12, 2026 19:37

Harden public API write and compute routes

9aa096b

MaxGhenis force-pushed the codex/security-hardening-audit-v2 branch from 8f08795 to 9aa096b Compare April 12, 2026 19:41