feat(codebase): harden container execution rollout with access limits and metrics

[chilu18]

Summary

This PR hardens codebase run execution while production mode is set to container.

Changed files

• opencto/opencto-api-worker/src/codebaseRuns.ts
• opencto/opencto-api-worker/src/index.ts
• opencto/opencto-api-worker/src/errors.ts
• opencto/opencto-api-worker/src/tests/codebaseRuns.test.ts
• opencto/opencto-api-worker/README.md

Validation output

opencto/opencto-api-worker

• npm run lint: PASS
• npm run build: PASS
• npm test: PASS (50 tests)

opencto/opencto-dashboard

• Not touched in this PR.

Risk notes

• Role restrictions now block developer, viewer, and auditor from create/cancel actions; clients relying on prior behavior will now get 403.
• Repo URL validation is intentionally strict to https://github.com/<owner>/<repo>[.git] and may reject previously accepted formats.
• Added metrics endpoint is per-user and reads only last 24h from codebase_runs; no schema changes were introduced.

Rollback note

If container hardening causes production issues, set mode back to stub and redeploy:

1. Update opencto/opencto-api-worker/wrangler.toml under [env.production.vars]:
   • CODEBASE_EXECUTION_MODE = "stub"
2. Redeploy:
   • cd opencto/opencto-api-worker && npx wrangler deploy --env production

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-04T07:23:05.183Z)

Decision: approve

The PR introduces container execution hardening with role-based access limits, strict repo URL validation, and per-user metrics for the last 24 hours. It includes comprehensive testing, linting, and build pass statuses, with clear risk and rollback documentation. The scope and impact are well communicated, with no critical issues found.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-04T12:29:38.962Z)

Decision: approve

The PR introduces container execution hardening with access limits and metrics, including role-based restrictions, stricter repo URL validation, and a new metrics endpoint. All tests pass and lint/build checks succeed. The risk notes and rollback instructions are clear and well-documented.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-04T13:18:33.336Z)

Decision: changes_requested

Autonomous review parse fallback: manual review recommended.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-05T15:56:39.780Z)

Decision: approve

The PR enhances container execution security by adding access restrictions, strict repo URL validation, and a new metrics endpoint without schema changes. All tests pass and lint/build succeed. The risk and rollback notes are clear and reasonable. Changes in documentation and tests sufficiently cover the new behavior.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-05T16:03:51.216Z)

Decision: approve

The PR effectively hardens container execution by implementing access restrictions, strict repo URL validation, and adding a metrics endpoint. All tests pass with no lint or build errors, and rollback instructions are clearly provided. The risk notes appropriately inform about potential client impacts due to stricter access controls and validation. This is a solid improvement to the production mode execution.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-05T16:14:05.862Z)

Decision: approve

The PR effectively hardens the container execution mode by adding strict access controls, strict repository URL validation, and per-user metrics endpoints without schema changes. The risk and rollback notes are clearly documented. Tests pass and lint/build are successful.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-05T19:42:37.493Z)

Decision: approve

The PR improves security by adding access limits and metrics for container execution rollout. The changes are well-tested with all tests passing and lint/build checks succeeding. The PR also includes thorough risk notes and rollback instructions, indicating consideration of potential impacts. No schema changes are introduced, minimizing migration risks.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-06T17:05:29.795Z)

Decision: approve

The PR effectively hardens container execution by enforcing new access restrictions, strict repo URL validation, and adds a per-user metrics endpoint without schema changes. Tests all pass with increased coverage and relevant documentation updates are included. Rollback steps and risk notes are clearly documented.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-08T17:17:34.611Z)

Decision: approve

The PR enhances security in container execution by enforcing stricter role-based access control and URL validation, introduces a new per-user metrics endpoint without schema changes, and maintains code quality with linting, building, and testing passing successfully. Adequate rollback instructions are provided to minimize production risk. The scope of changes is well-described and includes comprehensive test updates.

Concerns: none identified.

[chilu18]

OpenCTO Autonomous PR Review (2026-03-09T16:53:47.262Z)

Decision: approve

The PR introduces important security hardening for container execution by enforcing stricter role-based access controls and repository URL validation, adding a per-user metrics endpoint without schema changes. All tests pass, linting and build succeed, and rollback steps are clearly documented. Changes are well-scoped and appropriately tested.

Concerns: none identified.