docs: add rate-limiting guidance to CLAUDE.md#228
Merged
an9xyz merged 1 commit intoJun 2, 2026
Conversation
lml2468
approved these changes
Jun 2, 2026
Contributor
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Summary
Docs-only: adds rate-limiting guidance to CLAUDE.md. Clear, accurate, well-structured. No blocking issues.
Covers the three-layer middleware stack (global IP / strict IP per-endpoint / shared UID), correct mounting order (after AuthMiddleware), exception policy for business-identity cooldowns, and test bucket cleanup. The checklist addition reinforces the "never hand-roll" rule.
APPROVED.
Jerry-Xin
approved these changes
Jun 2, 2026
Contributor
Jerry-Xin
left a comment
Jerry-Xin
left a comment
There was a problem hiding this comment.
✅ APPROVE
Clean documentation addition — rate-limiting guidance for CLAUDE.md.
- Three-layer middleware taxonomy is accurate and well-structured
SharedUIDRateLimitermount-after-auth caveat is important and clearly called out- Exception clause for per-resource cooldowns (SMS/email/bind) is correctly scoped
- Test setup reminder (
resetUIDRateLimit) prevents CI flakes - Architecture section cross-reference added
No issues found.
Document the shared rate-limit middleware (ip / strict:{tag} / uid scopes
in pkg/wkhttp) and require it over hand-rolled Redis counters for generic
request-frequency limiting. Note the per-resource cooldown exception
(sms/email/OIDC bind) and the AuthMiddleware mount-order requirement.
an9xyz
force-pushed
the
docs/rate-limiting-guidance
branch
from
b2d7183 to
b2803eb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Rate Limiting section to
CLAUDE.mdso contributors mount the shared rate-limit middleware instead of hand-rolling Redis counters for request-frequency limiting.What's documented
pkg/wkhttp/ratelimit.goand theirX-RateLimit-Scopevalues:RateLimitMiddleware→ scopeip(global per-IP DDoS floor, already mounted inmain.go)StrictIPRateLimitMiddleware→ scopestrict:{tag}(per-IP, unauthenticated sensitive endpoints)SharedUIDRateLimiter→ scopeuid(per-login-user, default for authenticated endpoints)X-RateLimit-*headers, return i18nrate.limited, and are fail-open on Redis errors.SharedUIDRateLimitermust come afterAuthMiddleware, otherwise it cannot read the uid and silently fails open.sms_rate_limit:,email_rate_limit:, OIDC bind attempt caps) may keep their hand-written Redis counters — the IP/UID buckets cannot express that semantic.ratelimit:uid:*in setup (CleanAllTablesdoes not clear it).Context
Docs-only; no code behavior change. Motivated by finding that
POST /v1/app_bot/apply(modules/app_bot) hand-rolls a fixed-window Redis counter instead of using the shared middleware.Test plan