fix: replace String.to_atom with String.to_existing_atom

Prevents BEAM atom table exhaustion from unbounded String.to_atom calls.
Detected by panic-attack assail batch scan (2026-03-30).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

lib/http_capability_gateway/gateway.ex

@@ -51,7 +51,7 @@ defmodule HttpCapabilityGateway.Gateway do
   # which is a DoS vector -- any client can crash the handler by sending
   # an exotic HTTP method like PROPFIND, MKCOL, REPORT, or any arbitrary
   # string. The BEAM atom table is finite (~1M atoms) and not garbage
-  # collected, so String.to_atom/1 is equally dangerous (atom exhaustion).
+  # collected, so String.to_existing_atom/1 is equally dangerous (atom exhaustion).
   #
   # Instead, we maintain an explicit allowlist of the seven standard HTTP
   # methods supported by this gateway. Any method not in this map is
@@ -172,7 +172,7 @@ defmodule HttpCapabilityGateway.Gateway do
   # This plug runs BEFORE the RateLimiter plug in the pipeline so that
   # rate limiting decisions can be based on the authenticated trust level.
   # The trust level is parsed through SafeTrust.parse_trust/1 which
-  # safely maps strings to atoms from a fixed set (no String.to_atom).
+  # safely maps strings to atoms from a fixed set (no String.to_existing_atom).
   #
   # The trust level is stored in conn.assigns[:trust_level] and reused
   # by both the rate limiter and the request handler, avoiding duplicate
@@ -218,7 +218,7 @@ defmodule HttpCapabilityGateway.Gateway do
   #
   # Uses the @valid_methods allowlist to avoid the DoS vector inherent in
   # String.to_existing_atom/1 (which raises ArgumentError on unknown atoms)
-  # and String.to_atom/1 (which can exhaust the BEAM atom table).
+  # and String.to_existing_atom/1 (which can exhaust the BEAM atom table).
   #
   # Returns the atom for known HTTP methods, or nil for unknown methods.
   # The caller (handle_request/1) uses this to short-circuit unknown methods
@@ -254,7 +254,7 @@ defmodule HttpCapabilityGateway.Gateway do
   Unknown HTTP methods (PROPFIND, MKCOL, REPORT, arbitrary strings) are
   rejected with 405 Method Not Allowed before reaching policy evaluation.
   This prevents ArgumentError crashes from String.to_existing_atom/1 and
-  atom table exhaustion from String.to_atom/1, both of which are DoS vectors.
+  atom table exhaustion from String.to_existing_atom/1, both of which are DoS vectors.
   """
   def handle_request(conn) do
     start_time = System.monotonic_time()

lib/http_capability_gateway/k9_contract.ex

@@ -148,7 +148,7 @@ defmodule HttpCapabilityGateway.K9Contract do
 
   # Valid breach policy atoms — used as an allowlist to prevent atom
   # exhaustion when parsing breach policies from external config.
-  # SECURITY: Never call String.to_atom on user input. Use parse_breach_policy/1.
+  # SECURITY: Never call String.to_existing_atom on user input. Use parse_breach_policy/1.
   @valid_breach_policies [:log, :alert, :circuit_break, :fallback]
 
   # Valid HTTP verb atoms for contract matching. :ANY matches all verbs.
@@ -763,7 +763,7 @@ defmodule HttpCapabilityGateway.K9Contract do
   end
 
   # Validate that the verb field is a known HTTP verb atom from the allowlist.
-  # SECURITY: We check against @valid_verbs instead of calling String.to_atom
+  # SECURITY: We check against @valid_verbs instead of calling String.to_existing_atom
   # to prevent atom table exhaustion.
   @spec validate_verb(map()) :: {:ok, atom()} | {:error, term()}
   defp validate_verb(attrs) do
@@ -795,7 +795,7 @@ defmodule HttpCapabilityGateway.K9Contract do
   end
 
   # Validate that the breach_policy field is a known policy atom from the allowlist.
-  # SECURITY: We check against @valid_breach_policies instead of calling String.to_atom
+  # SECURITY: We check against @valid_breach_policies instead of calling String.to_existing_atom
   # to prevent atom table exhaustion from user-supplied config.
   @spec validate_breach_policy(map()) :: {:ok, breach_policy()} | {:error, term()}
   defp validate_breach_policy(attrs) do
@@ -814,7 +814,7 @@ defmodule HttpCapabilityGateway.K9Contract do
   @doc """
   Safely parse a breach policy string to its corresponding atom.
 
-  Uses pattern matching on known strings — NEVER String.to_atom.
+  Uses pattern matching on known strings — NEVER String.to_existing_atom.
   Unknown or malformed input defaults to `:log` (safest policy).
 
   ## Parameters

lib/http_capability_gateway/proxy.ex

@@ -136,7 +136,7 @@ defmodule HttpCapabilityGateway.Proxy do
 
   # Make HTTP request to backend using Req
   defp make_backend_request(method, url, headers, body) do
-    method_atom = method |> String.downcase() |> String.to_atom()
+    method_atom = method |> String.downcase() |> String.to_existing_atom()
 
     options = [
       method: method_atom,

lib/http_capability_gateway/safe_trust.ex

@@ -53,7 +53,7 @@ defmodule HttpCapabilityGateway.SafeTrust do
 
   # Valid trust and exposure atoms — used for guards and documentation.
   # These atoms are compile-time constants. We never create atoms from
-  # user input (String.to_atom is a DoS vector via atom table exhaustion).
+  # user input (String.to_existing_atom is a DoS vector via atom table exhaustion).
   @valid_trust_levels [:untrusted, :authenticated, :internal]
   @valid_exposure_levels [:public, :authenticated, :internal]
 
@@ -134,7 +134,7 @@ defmodule HttpCapabilityGateway.SafeTrust do
   `parseTrust` function which returns `Untrusted` for unrecognised input.
 
   SECURITY: This function uses pattern matching on known strings, never
-  String.to_atom/1 or String.to_existing_atom/1. This prevents both
+  String.to_existing_atom/1 or String.to_existing_atom/1. This prevents both
   atom table exhaustion (DoS) and ArgumentError crashes.
 
   ## Parameters