Atlas Webhook Plugin Flaw: Missing Rate Limits Risk Unbounded LLM and Sandbox Costs After Secret Leak

A critical architectural weakness in the Atlas webhook plugin leaves the system exposed to unbounded agent invocations if a channel secret is compromised. The `POST /webhook/:channelId` endpoint — found in `plugins/webhook/src/routes.ts:115-236` — executes queries synchronously upon successful authentication, triggering the full agent loop including LLM token consumption, SQL pipeline processing, and optional Python sandbox execution. Unlike the public conversations endpoint (`/api/public/conversations/:token`), which enforces an in-memory rate limit of 60 requests per minute, the webhook surface has no per-channel or per-IP throttling whatsoever.

The vulnerability emerges when an attacker obtains a channel secret through any vector: log scraping, leaked configuration, or compromise of an upstream sender. With the secret in hand, the attacker can fire requests at line speed with no artificial ceiling. The only natural constraint is the per-source SQL rate limit defined in `source-rate-limit.ts` — set to 60 queries per minute and 5 concurrent operations by default. That limit caps database pressure but leaves LLM token spend and sandbox concurrency entirely uncapped. Both represent paid surfaces with direct cost implications that accumulate without constraint.

The issue, tracked as #1718 under Phase 1.2.3 Phase 6 of the rate limiting and DoS audit (#1725), carries P2 severity. Organizations relying on the webhook plugin face risk of unexpected cost escalation and resource exhaustion from a single leaked credential. The absence of defense-in-depth rate limiting on a high-privilege endpoint that bypasses typical API surfaces warrants immediate scrutiny, particularly for deployments where webhook secrets may transit through third-party systems or untrusted infrastructure.