Remove agent rate limiting and its env knobs#188
Merged
Conversation
Removes the agent rate-limiting subsystem entirely (request limits + the per-client concurrency cap) rather than disabling it via a flag, so the env surface shrinks instead of growing. Code: - Delete src/lib/server/rate-limit.ts (sliding window + concurrency, memory/postgres stores). - Drop enforcement from /api/agent and /api/agent/follow-ups (no more 429 AGENT_RATE_LIMITED / CONCURRENCY_LIMITED paths). - agent-runtime-config.ts: remove the rate-limit/concurrency constants and the AGENT_RATE_LIMIT_ENABLED / AGENT_RATE_LIMIT_STORE env knobs (and the now-unused env parse helpers). - agent-route.ts: remove the rate-limit decision type, X-RateLimit/Retry-After headers, and the onStreamSettled settle machinery (its only caller was the concurrency-slot release). Storage: - app-migrate.mjs now drops the agent_rate_limit table (following the existing legacy-table cleanup pattern) instead of creating it. Tests & docs: - Remove rate-limit tests/stubs and the rate-limit assertions in the route, helper, and http-error tests. - Update README, .env.example, and CLAUDE.md (no AGENT_RATE_LIMIT_* env vars). Not touched: Better Auth's credential-route limiter in src/lib/server/auth.ts (sign-in/sign-up brute-force protection) remains enabled — a separate, security-sensitive control. Verified: pnpm lint, format:check, typecheck, and test (150/150) pass; pnpm app:migrate drops the table on the local DB; the dev app compiles (/api/agent returns 401 unauthenticated, home redirects to sign-in). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Removes the agent rate-limiting subsystem entirely — the sliding-window request limit (60/min/user) and the per-client concurrency cap (4 in-flight) — rather than disabling it behind a flag.
Why
The goal was to drop the limits and keep the env surface minimal. Flipping the existing
AGENT_RATE_LIMIT_ENABLED=falsekill switch would add an env var; deleting the feature lets us removeAGENT_RATE_LIMIT_ENABLEDandAGENT_RATE_LIMIT_STOREinstead.Changes
Code
src/lib/server/rate-limit.ts(sliding window + concurrency, memory/postgres stores)./api/agentand/api/agent/follow-ups— no more429 AGENT_RATE_LIMITED/*_CONCURRENCY_LIMITEDpaths.agent-runtime-config.ts: remove the rate-limit/concurrency constants and theAGENT_RATE_LIMIT_ENABLED/AGENT_RATE_LIMIT_STOREenv knobs (plus the now-unused env-parse helpers).agent-route.ts: remove the rate-limit decision type,X-RateLimit-*/Retry-Afterheaders, and the now-deadonStreamSettledsettle machinery (its only caller was the concurrency-slot release).Storage
app-migrate.mjsnow drops theagent_rate_limittable (following the existing legacy-table cleanup pattern) instead of creating it. The table holds only transient counters, so dropping it is safe.Tests & docs
README.md,.env.example, andCLAUDE.md(noAGENT_RATE_LIMIT_*env vars).Net: +40 / −1192 across 17 files.
Out of scope (intentionally kept)
src/lib/server/auth.tsstill has Better Auth's credential-route limiter (rateLimit: { enabled: true }) — sign-in/sign-up brute-force protection (~100 req/10 s global; 5 req/15 min on credential routes). That's a distinct, security-sensitive control on the auth endpoints, not the agent throttling. Say the word if you want it removed too.Verification
pnpm lint(--max-warnings=0),pnpm format:check,pnpm typecheck,pnpm test→ 150/150 all pass.pnpm app:migrateagainst the local DB dropsagent_rate_limit(verified before/after).POST /api/agentreturns401unauthenticated, home redirects to/sign-in.🤖 Generated with Claude Code