feat(api): add application mutation rate limits#444
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
life-ustc | 7432e9d | Commit Preview URL Branch Preview URL |
Jul 16 2026, 01:28 AM |
|
E2E HTML report is ready: https://life-ustc.github.io/e2e-snapshot-artifacts/reports/29464138254/index.html |
tiankaima
marked this pull request as ready for review
July 16, 2026 01:42
github-actions Bot
pushed a commit
that referenced
this pull request
Jul 16, 2026
# [1.54.0](v1.53.2...v1.54.0) (2026-07-16) ### Features * **api:** add application mutation rate limits ([#444](#444)) ([51ed1e7](51ed1e7))
|
🎉 This PR is included in version 1.54.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Close #414 by adding application-level abuse controls to authenticated REST, admin, upload, dashboard, and MCP mutation surfaces.
Changed Surfaces
Retry-After: 60, expose the header through MCP CORS, and recordrate-limit-rejectedtelemetryEvidence
bun run app:preparebun x biome check(passes with the pre-existing unusedbuildwarning insrc/static-loader/import.ts)bun x svelte-check --tsconfig ./tsconfig.json— 0 errors / 0 warningsbun x vitest run— 162 files, 878 tests passedbun run buildUSER_WRITE_RATE_LIMITER (60 requests/60s)USER_BATCH_WRITE_RATE_LIMITER (10 requests/60s)make testpassedoapi-codegen/runtime v1.4.27432e9dd: successfulDocs / Contracts
Updated
docs/contracts/openapi.json,docs/contracts/mcp.json,docs/contracts/subscription.json, route annotations, and regeneratedpublic/openapi.generated.json. The generated spec is byte-for-byte current and has blob SHA168e728f8c5735eefae4d036a03b0df6433b5c0d, matching the CLI and Bot PRs.Risk Areas
Auth/suspension ordering, MCP batch authorization and atomic rejection, per-PoP Cloudflare limiter semantics, missing-binding fail-closed behavior, dashboard redirect compatibility, and cross-repository generated-client drift.
Cloudflare rate limiting is intentionally an abuse control: counters are per location, permissive, and eventually consistent rather than a globally exact quota. E2E uses high local thresholds because its tests share fixture users; production budgets are separately locked by configuration tests and exercised through mocked threshold behavior.
Cleanup
No screenshots, traces, scratch probes, or unrelated generated artifacts are included. Generated OpenAPI is source-derived and checked for exact drift.
Closes #414.