Skip to main content
Status: ✅ Complete — 2026-03-06 (Phase 1–3) Spec Reference: PF-42 Rate Limiting & Throttling
Last Updated: 2026-03-04

Purpose

PF-42 provides a centralized rate limiting and throttling framework. This document captures integration points: PF dependencies (PF-01, PF-04, PF-10), the event published on rate limit violation, and the database/edge API consumed by edge functions and client hooks.

PF Dependencies


Event Contract: pf_rate_limit_violated

Event: pf_rate_limit_violated (canonical identifier; subscribe to this name)
Publisher: PF-42 (Rate Limiting Framework)
Subscribers: PF-10 (Notifications), PF-48 (Security Event Monitoring — future)
Status: 📝 Planned

Purpose

Notify platform admins and security monitoring when a rate limit is exceeded so they can respond to abuse and adjust limits.

Trigger Conditions

  • After pf_check_rate_limit() returns allowed = false and a row is inserted into pf_rate_limit_violations.

Payload Schema

Canonical payload fields (single source of truth for pf_rate_limit_violated): TypeScript shape:
Event envelope may include event_type: 'pf_rate_limit_violated' and timestamp; consumers MUST use the fields above for canonical interpretation.

Consumer Actions


Database Function API: pf_check_rate_limit

Function: pf_check_rate_limit()
Provider: PF-42
Consumers: Edge functions (API rate limiting), server-side callers
Status: ✅ Implemented (Phase 1 migration 20260306114910)

Function Signature

See spec Data Model § Database Functions. Parameters: p_organization_id, p_user_id, p_ip_address, p_endpoint, p_limit_type. Returns: allowed, remaining, reset_at, rate_limit_id.

Security

  • SECURITY DEFINER; SET search_path = public. Callers must pass validated IP (see spec FR-3.2 for getValidatedIPAddress and trusted proxy whitelist).

Platform Integration Layer (Consumed by Cores)

  • Rate limit check (client): useRateLimit hook (see spec API Design). Cores use this for UI-level rate limit checks.
  • Rate limit check (server): Edge functions call pf_check_rate_limit() at request entry; return 429 with Retry-After when not allowed.

API Contract: Check Rate Limit (Edge)

Endpoint: Edge function check-rate-limit (or equivalent)
Method: POST
Provider: PF-42
Consumers: Client useRateLimit, other edge functions that need to check limits
Status: 📝 Planned

Request / Response

See spec § API Design — Backend Edge Functions. Request: organizationId, userId?, ipAddress?, endpoint?, limitType?. Response: allowed, remaining, resetAt, rateLimitId.

Error

  • 429 Too Many Requests with Retry-After header when rate limited.

References