[Senate] Implement rate limiting with slowapi on all API endpoints

[Senate] Implement rate limiting with slowapi on all API endpoints

ID: 82730506-c21 Priority: 88 Type: one_shot Status: open

Goal

High (H-5, H-6): No rate limiting on any endpoint. POST can be abused for DoS/cost amplification. Implement slowapi: POST endpoints 5/hour, public reads 100/min, search 20/min, agent log 10/min. See security_audit_2026-04-02.md for implementation.

Acceptance Criteria

Work Log

• 2026-04-20T23:10:00Z — Rebased on latest main, verified slowapi rate limiting already staged in api.py (95 @limiter.limit decorators covering POST 5/hour, search 20/min, agent log 10/min, default 100/min for public reads). Committed as 49f830cce and pushed. slowapi is imported but not yet in requirements.txt — needs follow-up as separate task.
• 2026-04-20T23:22:00Z — Cherry-picked rate limit implementation from original branch commits. Applied api.py changes (235 lines, slowapi imports + limiter setup + decorators), requirements.txt (slowapi>=0.23.0), and spec work log update. Single clean commit.
• 2026-04-21T00:00:00Z — [task:6e7d4d2e] Added global IP-based rate limiting middleware (_global_ip_rate_limit) using sliding window algorithm. Covers ALL endpoints globally: GET 120/min per IP, POST/PUT/DELETE/PATCH 20/min per IP. Returns 429 with Retry-After: 60 header. Skips health/metrics/docs paths. The existing @limiter.limit("5/hour") decorators remain as tighter per-route limits. auth.py token bucket remains for authenticated per-key limits.