# Story 6.4: Rate Limiting

## Metadata
- **Story ID**: 6.4
- **Title**: Rate Limiting
- **Epic**: 6 - Observability & Production Readiness
- **Status**: Pending
- **Priority**: High
- **Estimated Time**: 4-5 hours
- **Dependencies**: 1.5, 5.1

## Goal
Implement rate limiting to prevent API abuse and ensure fair resource usage.

## Description
This story implements rate limiting middleware that limits requests per user and per IP address, with configurable limits per endpoint.

## Deliverables

### 1. Rate Limiting Middleware
- Per-user rate limiting
- Per-IP rate limiting
- Configurable limits per endpoint
- Rate limit storage (Redis)
- Return `X-RateLimit-*` headers

### 2. Configuration
- Rate limit config in `config/default.yaml`:
  ```yaml
  rate_limiting:
    enabled: true
    per_user: 100/minute
    per_ip: 1000/minute
  ```

### 3. Integration
- Integrate with HTTP server
- Add to middleware stack
- Error responses for rate limit exceeded

## Acceptance Criteria
- [ ] Rate limiting prevents abuse
- [ ] Per-user limits work correctly
- [ ] Per-IP limits work correctly
- [ ] Rate limit headers are returned
- [ ] Configuration is flexible
- [ ] Rate limits are stored in Redis

## Files to Create/Modify
- `internal/server/middleware.go` - Rate limiting middleware
- `internal/infra/ratelimit/limiter.go` - Rate limiter implementation
- `config/default.yaml` - Add rate limit config