Skip to content

feat(api): add application mutation rate limits#444

Merged
tiankaima merged 2 commits into
mainfrom
agent/issue-414-rate-limit-openapi
Jul 16, 2026
Merged

feat(api): add application mutation rate limits#444
tiankaima merged 2 commits into
mainfrom
agent/issue-414-rate-limit-openapi

Conversation

@tiankaima

@tiankaima tiankaima commented Jul 16, 2026

Copy link
Copy Markdown
Member

Goal

Close #414 by adding application-level abuse controls to authenticated REST, admin, upload, dashboard, and MCP mutation surfaces.

Changed Surfaces

  • add shared per-host/per-user/per-action Cloudflare rate-limit gates: 60 standard writes/minute and 10 batch writes/minute
  • make REST and MCP consume the same canonical feature-action budgets
  • reject MCP JSON-RPC batches atomically before transport/tool execution, while counting duplicate mutation calls
  • enforce every requested tool scope across a complete MCP batch; same-feature write scope satisfies read
  • return 429/503 with Retry-After: 60, expose the header through MCP CORS, and record rate-limit-rejected telemetry
  • preserve dashboard HTML redirects and best-effort visit redirects without performing rejected writes
  • cap subscription section ID/code batches at 500
  • configure production and E2E Wrangler bindings
  • keep E2E bindings enabled at fixture-safe thresholds; a regression test locks production budgets to 60/10
  • sync OpenAPI consumers in chore(openapi): sync mutation rate-limit responses cli#10 and Life-USTC/bot#11

Evidence

  • bun run app:prepare
  • bun x biome check (passes with the pre-existing unused build warning in src/static-loader/import.ts)
  • bun x svelte-check --tsconfig ./tsconfig.json — 0 errors / 0 warnings
  • all three TypeScript project checks
  • bun x vitest run — 162 files, 878 tests passed
  • bun run build
  • Wrangler production dry-run output verified:
    • USER_WRITE_RATE_LIMITER (60 requests/60s)
    • USER_BATCH_WRITE_RATE_LIMITER (10 requests/60s)
  • Wrangler E2E type generation verified both bindings
  • CLI regenerated and make test passed
  • Bot generated package compiled against its pinned oapi-codegen/runtime v1.4.2
  • independent contract review and implementation/security review: PASS
  • exact-head GitHub CI run 1349: success
    • Check/OpenAPI parity, MCP+Postgres integration, static loader image + dry-run, E2E artifact build: passed
    • E2E: api-mcp 345, public-web 167, signed-in 97, admin-comments 44; 653 passed, 0 failed, 0 retry, 0 flaky
    • published Playwright HTML report
  • Cloudflare exact-head deployment for 7432e9dd: successful
  • UI screenshot: N/A; this issue changes backend/API enforcement only. Validation uses response contracts, generated OpenAPI, integration/E2E logs, and the deployment preview.

Docs / Contracts

Updated docs/contracts/openapi.json, docs/contracts/mcp.json, docs/contracts/subscription.json, route annotations, and regenerated public/openapi.generated.json. The generated spec is byte-for-byte current and has blob SHA 168e728f8c5735eefae4d036a03b0df6433b5c0d, matching the CLI and Bot PRs.

Risk Areas

Auth/suspension ordering, MCP batch authorization and atomic rejection, per-PoP Cloudflare limiter semantics, missing-binding fail-closed behavior, dashboard redirect compatibility, and cross-repository generated-client drift.

Cloudflare rate limiting is intentionally an abuse control: counters are per location, permissive, and eventually consistent rather than a globally exact quota. E2E uses high local thresholds because its tests share fixture users; production budgets are separately locked by configuration tests and exercised through mocked threshold behavior.

Cleanup

No screenshots, traces, scratch probes, or unrelated generated artifacts are included. Generated OpenAPI is source-derived and checked for exact drift.

Closes #414.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
life-ustc 7432e9d Commit Preview URL

Branch Preview URL
Jul 16 2026, 01:28 AM

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

@tiankaima
tiankaima marked this pull request as ready for review July 16, 2026 01:42
@tiankaima
tiankaima merged commit 51ed1e7 into main Jul 16, 2026
23 checks passed
@tiankaima
tiankaima deleted the agent/issue-414-rate-limit-openapi branch July 16, 2026 01:43
github-actions Bot pushed a commit that referenced this pull request Jul 16, 2026
# [1.54.0](v1.53.2...v1.54.0) (2026-07-16)

### Features

* **api:** add application mutation rate limits ([#444](#444)) ([51ed1e7](51ed1e7))
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 1.54.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

No application-level rate limiting on REST/MCP mutation and batch endpoints

1 participant