Security review (task e3a707ac) found no rate limiting on public endpoints. The per-key token-bucket in auth.py only applies to authenticated requests. Public endpoints are unprotected.
Fix plan:
1. Install slowapi (`pip install slowapi`)
2. Add Limiter to api.py using in-memory or Redis store
3. Apply global default limits: GET 120/min per IP, POST/PUT/DELETE 20/min per IP
4. Add 429 responses with Retry-After header
5. Test limits work correctly
The existing per-key rate limiting in auth.py should remain. See also: docs/planning/specs/82730506_c21_spec.md
Completion Notes
Auto-completed by supervisor after successful deploy to main
Git Commits (3)
[Senate] Add global IP rate limiting — GET 120/min, POST/PUT/DELETE 20/min [task:6e7d4d2e-351a-442d-b9f2-fbf03c86dd8d]2026-04-21
[Senate] Add global IP rate limiting — GET 120/min, POST/PUT/DELETE 20/min [task:6e7d4d2e-351a-442d-b9f2-fbf03c86dd8d]2026-04-21
[Senate] Add global IP rate limiting — GET 120/min, POST/PUT/DELETE 20/min [task:6e7d4d2e-351a-442d-b9f2-fbf03c86dd8d]2026-04-21