@shubhamkr790checks…feat/upstash-rate-limit-and-tool-cap → main6 files · +198 −1updated 2w agoAdds two server-side guards that the README explicitly calls out as missing (lines 124–131):
/api/chat — 20 requests / 60 s per user (configurable).Both are opt-in: if UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are not set, everything passes through and existing deployments are unaffected.
Security note: Without rate limiting, any authenticated user on a public TrustClaw instance can trigger unlimited Composio tool executions and AI Gateway calls, burning through the host's API credits with no guardrail. This is the exact scenario the README warns about. The sliding-window limiter stops burst abuse, and the monthly cap puts a hard ceiling on per-user resource consumption — both essential before opening signups beyond a trusted circle.
| Layer | Where | Default | Response |
|---|---|---|---|
| Rate limit | route.ts POST handler | 20 req / 60 s | 429 + Retry-After header |
| Tool-call cap (check) | route.ts POST handler | 1 000 / month | 403 with message |
| Tool-call cap (increment) | setup.ts onFinish | — | fire-and-forget after agent run |
trustclaw:toolcap:{userId}:{YYYY-MM} — new month = new key, old ones self-clean after 35 days.RATE_LIMIT_CHAT_REQUESTS, RATE_LIMIT_CHAT_WINDOW, MONTHLY_TOOL_CALL_CAP).src/server/clients/ratelimit.ts — new module: Upstash Redis client, rate limiter, cap check/incrementsrc/app/api/chat/route.ts — rate limit + cap enforcement before agent executionsrc/server/api/routers/trustclaw/agent/setup.ts — tool-call count increment in onFinish.env.example — documents new env varspackage.json — adds @upstash/ratelimit, @upstash/redis@upstash/ratelimit — sliding window rate limiter built for serverless@upstash/redis — REST-based Redis client (works on Vercel Edge + serverless)tsc --noEmit — only pre-existing Prisma-generation errors remain).Review the following changes in direct dependencies. Learn more about Socket for GitHub.