From 417034be7f745062901a940d1a021f6d85be496e Mon Sep 17 00:00:00 2001
From: Peter Stone <thepeterstone@gmail.com>
Date: Sun, 8 Mar 2026 20:40:31 +0000
Subject: api: SetAPIToken, SetNotifier, questionStore, per-IP rate limiter

- Extract questionStore interface for testability of handleAnswerQuestion
- Add SetAPIToken/SetNotifier methods for post-construction wiring
- Extract processResult() from forwardResults() for direct testability
- Add ipRateLimiter with token-bucket per IP; applied to /elaborate and /validate
- Fix tests for running-task deletion and retry-limit that relied on
  invalid state transitions in setup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/api/elaborate.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'internal/api/elaborate.go')

diff --git a/internal/api/elaborate.go b/internal/api/elaborate.go
index e480e00..8a18dee 100644
--- a/internal/api/elaborate.go
+++ b/internal/api/elaborate.go
@@ -85,6 +85,11 @@ func (s *Server) claudeBinaryPath() string {
 }
 
 func (s *Server) handleElaborateTask(w http.ResponseWriter, r *http.Request) {
+	if s.elaborateLimiter != nil && !s.elaborateLimiter.allow(realIP(r)) {
+		writeJSON(w, http.StatusTooManyRequests, map[string]string{"error": "rate limit exceeded"})
+		return
+	}
+
 	var input struct {
 		Prompt     string `json:"prompt"`
 		ProjectDir string `json:"project_dir"`
-- 
cgit v1.2.3