feat(flags): Add per-team rate limiting to flag definitions endpoint

FlagDefinitionsRateLimiterImplements configurable rate limiting for the `/flags/definitions` endpoint to protect against excessive requests and allow per-team customization.

Key features:
- Configurable default rate limit via `FLAG_DEFINITIONS_DEFAULT_RATE_PER_MINUTE` (default: 600/minute)
- Per-team overrides via `FLAG_DEFINITIONS_RATE_LIMITS` environment variable Format: `{"team_id": "rate_string"}` (e.g., `{"123": "1200/minute", "456": "2400/hour"}`)
- Supports Django `SimpleRateThrottle` rate format (N/second|minute|hour|day)
- Rate limiting occurs after authentication to prevent enumeration attacks
- Thread-safe implementation using governor with `Arc<RwLock>`
- Prometheus metrics for monitoring:
  - `flags_flag_definitions_requests_total`
  - `flags_flag_definitions_rate_limited_total`

Implementation:
- Generic `KeyedRateLimiter<K>` struct for reusable rate limiting with any key type
- Configurable Prometheus metrics via constructor parameters
- Uses GCRA (Generic Cell Rate Algorithm) via `governor` crate for efficiency
- `rate_parser` module for parsing Django-style rate strings
- Renamed `local_evaluation` module to `flag_definitions` for clarity
- Integrated into `flags_definitions` handler in `flag_definitions` module
- Comprehensive test coverage (9 unit tests, 24 integration tests)

Module refactoring:
- local_evaluation.rs → flag_definitions.rs
- test_local_evaluation.rs → test_flag_definitions.rs
- LocalEvaluationResponse → FlagDefinitionsResponse
- LocalEvaluationQueryParams → FlagDefinitionsQueryParams
- authenticate_local_evaluation → authenticate_flag_definitions
- FlagRequestType::LocalEvaluation → FlagRequestType::FlagDefinitions

Environment variables:
- `FLAG_DEFINITIONS_DEFAULT_RATE_PER_MINUTE`: Default rate for all teams (default: 600)
- `FLAG_DEFINITIONS_RATE_LIMITS`: JSON map of team_id to rate string for overrides

Author: haacked

rust/Cargo.lock

@@ -16,6 +16,7 @@ common-database = { path = "../common/database" }
 common-redis = { path = "../common/redis" }
 common-types = { path = "../common/types" }
 envconfig = { workspace = true }
+governor = { workspace = true }
 limiters = { path = "../common/limiters" }
 tokio = { workspace = true }
 tracing = { workspace = true }

rust/feature-flags/Cargo.toml

@@ -14,18 +14,18 @@ use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use tracing::{info, warn};
 
-/// Response for local evaluation endpoint
+/// Response for flag definitions endpoint
 /// This is returned as raw JSON from cache to avoid deserialization overhead
-pub type LocalEvaluationResponse = Value;
+pub type FlagDefinitionsResponse = Value;
 
-/// Query parameters for the local evaluation endpoint
+/// Query parameters for the flag definitions endpoint
 #[derive(Debug, Deserialize, Serialize)]
-pub struct LocalEvaluationQueryParams {
+pub struct FlagDefinitionsQueryParams {
     /// Team API token - required to specify which team's flags to return
     pub token: String,
 }
 
-/// Local evaluation endpoint handler
+/// Flag definitions endpoint handler
 ///
 /// This endpoint provides flag definitions for client-side evaluation.
 ///
@@ -47,14 +47,14 @@ pub struct LocalEvaluationQueryParams {
 #[debug_handler]
 pub async fn flags_definitions(
     State(state): State<AppState>,
-    Query(params): Query<LocalEvaluationQueryParams>,
+    Query(params): Query<FlagDefinitionsQueryParams>,
     headers: HeaderMap,
     method: Method,
 ) -> Result<Response, FlagError> {
     info!(
         method = %method,
         token = %params.token,
-        "Processing local evaluation request (always includes cohorts)"
+        "Processing flag definitions request (always includes cohorts)"
     );
 
     // Only GET is supported for this read-only endpoint
@@ -67,7 +67,10 @@ pub async fn flags_definitions(
     let team = fetch_team_by_token(&state, &params.token).await?;
 
     // Authenticate against the specified team
-    authenticate_local_evaluation(&state, &team, &headers).await?;
+    authenticate_flag_definitions(&state, &team, &headers).await?;
+
+    // Check rate limit for this team
+    state.flag_definitions_limiter.check_rate_limit(team.id)?;
 
     // Retrieve cached response from HyperCache (always with cohorts)
     let cached_response = get_from_cache(&state, &team).await?;
@@ -122,7 +125,7 @@ async fn fetch_team_by_token(state: &AppState, token: &str) -> Result<Team, Flag
 async fn get_from_cache(
     state: &AppState,
     team: &Team,
-) -> Result<LocalEvaluationResponse, FlagError> {
+) -> Result<FlagDefinitionsResponse, FlagError> {
     // Configure HyperCache to use the flags_with_cohorts.json cache key
     // This ensures we always return cohort definitions along with flag definitions
     let hypercache_config = HyperCacheConfig::new(
@@ -159,13 +162,13 @@ async fn get_from_cache(
     info!(
         team_id = team.id,
         source = source_name,
-        "Cache hit for local evaluation (with cohorts)"
+        "Cache hit for flag definitions (with cohorts)"
     );
 
     Ok(data)
 }
 
-/// Authenticates local evaluation requests using team secret API tokens or personal API keys
+/// Authenticates flag definitions requests using team secret API tokens or personal API keys
 ///
 /// Validates that the authentication credential has access to the specified team.
 ///
@@ -176,7 +179,7 @@ async fn get_from_cache(
 /// Priority: Secret API tokens take precedence over personal API keys when both are provided.
 ///
 /// Returns Ok(()) if authentication succeeds, Err otherwise
-async fn authenticate_local_evaluation(
+async fn authenticate_flag_definitions(
     state: &AppState,
     team: &Team,
     headers: &HeaderMap,

rust/feature-flags/src/api/local_evaluation.rs renamed to rust/feature-flags/src/api/flag_definitions.rs

@@ -1,5 +1,7 @@
 pub mod auth;
 pub mod endpoint;
 pub mod errors;
-pub mod local_evaluation;
+pub mod flag_definitions;
+pub mod rate_limiter;
+pub mod rate_parser;
 pub mod types;