Part of #32: Security Hardening - API Key Storage and Input Sanitization
Scope
Implement client-side rate limiting to prevent accidental API quota exhaustion and protect against runaway request loops.
What to do
- Implement a token-bucket or sliding-window rate limiter in the
ai/common module (or each client if common module does not yet exist)
- Configure per-provider default rate limits based on documented API limits
- Make rate limits configurable in the settings panel
- When rate limit is hit, queue the request or show a user notification with estimated wait time
- Add a cooldown mechanism for rapid repeated failures (exponential backoff)
Acceptance criteria
- Each AI client enforces a configurable requests-per-minute limit
- Rate limit hits produce a user-visible notification (not a silent failure)
- Default limits are set conservatively per provider
- Rapid-fire clicking "Send" does not flood the API
Part of #32: Security Hardening - API Key Storage and Input Sanitization
Scope
Implement client-side rate limiting to prevent accidental API quota exhaustion and protect against runaway request loops.
What to do
ai/commonmodule (or each client if common module does not yet exist)Acceptance criteria