ibexharness
DocsBlogReleasesRoadmap
GitHub
ibexharness

Documentation

Architecture Decision RecordsADR-0002: Repository foundation bootstrapADR-0003: Branch protection and merge policyADR-0004: Protobuf and code generation policyADR-0005: Postgres migration strategyADR-0006: Auth protobuf contract (`ibex.auth.v1`)ADR-0007: Auth token validation implementationADR-0008: Security scanning and CI quality gatesADR-0009: Permission bitmap layoutADR-0010: Cryptography policyADR-0011: Proxy auth gRPC client and middlewareADR-0012: Proxy request normalization (OpenAI chat)ADR-0013: Proxy input validation and stable error envelopeADR-0014: Core domain migration sequencingADR-0015: Proxy rate limit skeleton (Phase 1)ADR-0016: Proxy agent identity verification (Phase 1)ADR-0017: Request ID and trace context strategy (Phase 1)ADR-0018: Graceful shutdown contract (Phase 1)ADR-0019: OpenTelemetry provider configuration (Phase 1)ADR-0020: Shared package boundaries — `packages/config` and `packages/apierror`ADR-0021: Prometheus Metric Catalog (Phase 1)ADR-0022: Health check contract (Phase 1)ADR-0023: Docs site architecture (Phase 1.5)
ADRs›ADR-0015: Proxy rate limit skeleton (Phase 1)
ADRs

ADR-0015: Proxy rate limit skeleton (Phase 1)

Architecture decision record 0015.

ADR-0015: Proxy rate limit skeleton (Phase 1)

  • Status: Accepted
  • Date: 2026-06-06
  • Authors: IBEX Harness team

Context

Phase 2 will call real LLM providers; without rate limiting, runaway tests can exhaust credits. Phase 4 adds hierarchical Redis Lua limits. Milestone 1.2.4 introduces a minimal org-level limiter in the proxy pipeline after auth and before handlers, without blocking traffic when Redis is unavailable.

Decision

1) Package layout

  • packages/ratelimit — Limiter interface, RedisSlider implementation (Redis INCR + EXPIRE), ParseRedisURL
  • services/proxy/internal/http/ratelimit_middleware.go — HTTP middleware only; no direct Redis calls in proxy
  • Config remains in services/proxy/internal/config until M1.4.2 (packages/config)

2) Algorithm (Phase 1)

  • Org-level calendar-minute window: key ratelimit:{org_id}:rpm:{unix_minute} per 15-redis-patterns.mdc
  • On first increment in a window: EXPIRE 90s (clock skew buffer)
  • Not atomic — acceptable soft limit until Phase 4 Lua scripts
  • agentID parameter accepted on Check but ignored in Phase 1 (org-level only)
  • BurstSize reserved for Phase 4; Phase 1 enforces requests_per_minute only

3) Fail-open vs fail-closed

ControlRedis failure behavior
AuthFail closed → 503 SERVICE_DEGRADED
Rate limitFail open → allow request + warn log

Rationale: rate limiting is cost/quality control, not a security boundary.

4) HTTP mapping

ConditionHTTPcode
Over org RPM429RATE_LIMITED

Response headers on limited or allowed requests:

  • X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset (Unix seconds)
  • Retry-After (seconds, min 1) on 429 only

Stable envelope via services/proxy/internal/errors (not packages/apierror until M1.4.2).

5) Configuration

VariableDefaultNotes
IBEX_RATE_LIMIT_DEFAULT_RPM60Org default
IBEX_RATE_LIMIT_ORG_OVERRIDES(empty)uuid=rpm,uuid2=rpm2

No DB-backed limits in Phase 1.

6) Middleware order

Amends ADR-0013 §8. Superseded for agent step by ADR-0016 (M1.2.5 inserts agentVerify after auth, before rateLimit):

POST /v1/chat/completions:
  bodyLimit → contentType → auth → agentVerify → rateLimit → handler

GET /v1/internal/auth-probe:
  auth → agentVerify → rateLimit → handler

GET /v1/orgs/{org_id}/auth-probe:
  pathOrgUUID → auth → agentVerify → rateLimit → handler

7) Deferred

  • Agent-level and hierarchical limits (Phase 4 Lua)
  • Prometheus rate-limit metrics (M1.3.2)
  • packages/apierror code registry (M1.4.2)
  • End-to-end security matrix (M1.5.1)

Consequences

Positive

  • Cost protection before Phase 2 provider calls
  • Interface stable for Phase 4 replacement of RedisSlider internals
  • Per-org isolation via Redis key naming

Negative

  • Non-atomic INCR may allow slight overshoot under concurrency
  • Auth context org_id must be a valid UUID string for rate limit middleware

References

  • Milestone 1.2.4
  • ADR-0013
  • DATABASE_SCHEMA.md — Redis rate limit keys

Was this page helpful?

Edit on GitHub

Last updated on

PreviousADR-0014: Core domain migration sequencingNextADR-0016: Proxy agent identity verification (Phase 1)

On this page

  • Context
  • Decision
  • 1) Package layout
  • 2) Algorithm (Phase 1)
  • 3) Fail-open vs fail-closed
  • 4) HTTP mapping
  • 5) Configuration
  • 6) Middleware order
  • 7) Deferred
  • Consequences
  • Positive
  • Negative
  • References
0%