High (H-5, H-6): No rate limiting on any endpoint. POST can be abused for DoS/cost amplification. Implement slowapi: POST endpoints 5/hour, public reads 100/min, search 20/min, agent log 10/min. See security_audit_2026-04-02.md for implementation.
## REOPENED TASK — CRITICAL CONTEXT
This task was previously marked 'done' but the audit could not verify
the work actually landed on main. The original work may have been:
- Lost to an orphan branch / failed push
- Only a spec-file edit (no code changes)
- Already addressed by other agents in the meantime
- Made obsolete by subsequent work
**Before doing anything else:**
1. **Re-evaluate the task in light of CURRENT main state.** Read the
spec and the relevant files on origin/main NOW. The original task
may have been written against a state of the code that no longer
exists.
2. **Verify the task still advances SciDEX's aims.** If the system
has evolved past the need for this work (different architecture,
different priorities), close the task with reason "obsolete: "
instead of doing it.
3. **Check if it's already done.** Run `git log --grep=''`
and read the related commits. If real work landed, complete the
task with `--no-sha-check --summary 'Already done in '`.
4. **Make sure your changes don't regress recent functionality.** Many
agents have been working on this codebase. Before committing, run
`git log --since='24 hours ago' -- ` to see what
changed in your area, and verify you don't undo any of it.
5. **Stay scoped.** Only do what this specific task asks for. Do not
refactor, do not "fix" unrelated issues, do not add features that
weren't requested. Scope creep at this point is regression risk.
If you cannot do this task safely (because it would regress, conflict
with current direction, or the requirements no longer apply), escalate
via `orchestra escalate` with a clear explanation instead of committing.
Completion Notes
Auto-completed by supervisor after successful deploy to main
[Senate] Implement rate limiting with slowapi on all API endpoints — POST 5/hour, search 20/min, agent log 10/min, public reads 100/min default [task:82730506-c21e-459e-b58a-4dbce0c2e03d]2026-04-20
[Senate] Implement rate limiting with slowapi on all API endpoints — POST 5/hour, search 20/min, agent log 10/min, public reads 100/min default [task:82730506-c21e-459e-b58a-4dbce0c2e03d]2026-04-20
[Senate] Implement rate limiting with slowapi on all API endpoints — POST 5/hour, search 20/min, agent log 10/min, public reads 100/min default [task:82730506-c21e-459e-b58a-4dbce0c2e03d]2026-04-20
[Senate] Implement rate limiting with slowapi on all API endpoints — POST 5/hour, search 20/min, agent log 10/min, public reads 100/min default [task:82730506-c21e-459e-b58a-4dbce0c2e03d]2026-04-20
Spec File
[Senate] Implement rate limiting with slowapi on all API endpoints
ID: 82730506-c21
Priority: 88
Type: one_shot
Status: open
Goal
High (H-5, H-6): No rate limiting on any endpoint. POST can be abused for DoS/cost amplification. Implement slowapi: POST endpoints 5/hour, public reads 100/min, search 20/min, agent log 10/min. See security_audit_2026-04-02.md for implementation.
Acceptance Criteria
☑ Concrete deliverables created
☑ Work log updated with timestamped entry
Work Log
2026-04-20T23:10:00Z — Rebased on latest main, verified slowapi rate limiting already staged in api.py (95 @limiter.limit decorators covering POST 5/hour, search 20/min, agent log 10/min, default 100/min for public reads). Committed as 49f830cce and pushed. slowapi is imported but not yet in requirements.txt — needs follow-up as separate task.
2026-04-20T23:22:00Z — Cherry-picked rate limit implementation from original branch commits. Applied api.py changes (235 lines, slowapi imports + limiter setup + decorators), requirements.txt (slowapi>=0.23.0), and spec work log update. Single clean commit.
2026-04-21T00:00:00Z — [task:6e7d4d2e] Added global IP-based rate limiting middleware (_global_ip_rate_limit) using sliding window algorithm. Covers ALL endpoints globally: GET 120/min per IP, POST/PUT/DELETE/PATCH 20/min per IP. Returns 429 with Retry-After: 60 header. Skips health/metrics/docs paths. The existing @limiter.limit("5/hour") decorators remain as tighter per-route limits. auth.py token bucket remains for authenticated per-key limits.