api: SetAPIToken, SetNotifier, questionStore, per-IP rate limiter

- Extract questionStore interface for testability of handleAnswerQuestion - Add SetAPIToken/SetNotifier methods for post-construction wiring - Extract processResult() from forwardResults() for direct testability - Add ipRateLimiter with token-bucket per IP; applied to /elaborate and /validate - Fix tests for running-task deletion and retry-limit that relied on invalid state transitions in setup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
author: Peter Stone <thepeterstone@gmail.com> 2026-03-08 20:40:31 +0000
committer: Peter Stone <thepeterstone@gmail.com> 2026-03-08 20:40:31 +0000
commit: 417034be7f745062901a940d1a021f6d85be496e (patch)
tree: 666956207b58c915090f6641891304156cf93670 /internal/api/elaborate.go
parent: 181a37698410b68e00a885593b6f2b7acf21f4b4 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/internal/api/elaborate.go b/internal/api/elaborate.go
index e480e00..8a18dee 100644
--- a/internal/api/elaborate.go
+++ b/internal/api/elaborate.go
@@ -85,6 +85,11 @@ func (s *Server) claudeBinaryPath() string {
 }
 
 func (s *Server) handleElaborateTask(w http.ResponseWriter, r *http.Request) {
+	if s.elaborateLimiter != nil && !s.elaborateLimiter.allow(realIP(r)) {
+		writeJSON(w, http.StatusTooManyRequests, map[string]string{"error": "rate limit exceeded"})
+		return
+	}
+
 	var input struct {
 		Prompt     string `json:"prompt"`
 		ProjectDir string `json:"project_dir"`
author	Peter Stone <thepeterstone@gmail.com>	2026-03-08 20:40:31 +0000
committer	Peter Stone <thepeterstone@gmail.com>	2026-03-08 20:40:31 +0000
commit	417034be7f745062901a940d1a021f6d85be496e (patch)
tree	666956207b58c915090f6641891304156cf93670 /internal/api/elaborate.go
parent	181a37698410b68e00a885593b6f2b7acf21f4b4 (diff)