vibed

Commit Graph

Author	SHA1	Message	Date
Elijah Voigt	2ede2869e9	refactor(quotesdb): move db/handlers to lib modules, upgrade worker to 0.7, update infra - Move src/bin/api/db/ and src/bin/api/handlers/ to src/db/ and src/handlers/ so they compile as library modules accessible to both the native binary and the Cloudflare Workers entry point - Upgrade worker crate 0.5 → 0.7; add workers-api feature flag and cdylib/rlib crate-type to Cargo.toml - Update flake.nix: add worker-build and just to the dev shell; bump flake.lock (nixpkgs + rust-overlay) - Consolidate rate limit rules to one (Free plan allows only 1 rule per zone in the http_ratelimit phase) - Update infra/worker.tf to deploy via wrangler rather than Terraform (Cloudflare provider v4 can't upload ES module + wasm bundles) - Extend .gitignore to exclude *.wasm build artifacts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	3 months ago
Elijah Voigt	d9099c5585	feat(quotesdb): add Cloudflare WAF rate limiting rules via OpenTofu Adds infra/rate-limits.tf with a cloudflare_ruleset (phase: http_ratelimit) implementing per-IP rate limits on all mutating API endpoints: - PUT /api/quotes: 5 requests per 10 minutes (quote creation) - POST /api/quotes/:id/report: 3 requests per hour (abuse reports) - POST /api/quotes/🆔 10 requests per minute (quote updates) - DELETE /api/quotes/🆔 10 requests per minute (quote deletes) The report rule is ordered before the general update rule to ensure the more-specific /report path matches before the broader /api/quotes/:id pattern. Documents the approach, plan requirements, and layered protection rationale in docs/ARCHITECTURE.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	3 months ago

Author

SHA1

Message

Date

Elijah Voigt

2ede2869e9

refactor(quotesdb): move db/handlers to lib modules, upgrade worker to 0.7, update infra

- Move src/bin/api/db/ and src/bin/api/handlers/ to src/db/ and
  src/handlers/ so they compile as library modules accessible to both
  the native binary and the Cloudflare Workers entry point
- Upgrade worker crate 0.5 → 0.7; add workers-api feature flag and
  cdylib/rlib crate-type to Cargo.toml
- Update flake.nix: add worker-build and just to the dev shell; bump
  flake.lock (nixpkgs + rust-overlay)
- Consolidate rate limit rules to one (Free plan allows only 1 rule
  per zone in the http_ratelimit phase)
- Update infra/worker.tf to deploy via wrangler rather than Terraform
  (Cloudflare provider v4 can't upload ES module + wasm bundles)
- Extend .gitignore to exclude *.wasm build artifacts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Elijah Voigt

d9099c5585

feat(quotesdb): add Cloudflare WAF rate limiting rules via OpenTofu

Adds infra/rate-limits.tf with a cloudflare_ruleset (phase: http_ratelimit)
implementing per-IP rate limits on all mutating API endpoints:
- PUT /api/quotes: 5 requests per 10 minutes (quote creation)
- POST /api/quotes/:id/report: 3 requests per hour (abuse reports)
- POST /api/quotes/🆔 10 requests per minute (quote updates)
- DELETE /api/quotes/🆔 10 requests per minute (quote deletes)

The report rule is ordered before the general update rule to ensure the
more-specific /report path matches before the broader /api/quotes/:id
pattern. Documents the approach, plan requirements, and layered protection
rationale in docs/ARCHITECTURE.md.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2 Commits (473761b4af7b23aa0c91995c4d832174721ab267)