[Plugin] Create Rate Limiter Plugin using Plugin Framework

[crivetimihai]

Overview

Create a Rate Limiter Plugin that implements fixed-window in-memory rate limiting by user, tenant, and tool to prevent abuse and ensure fair usage.

Plugin Requirements

Plugin Details

• Name: RateLimiterPlugin
• Type: Self-contained (native) plugin
• File Location: plugins/rate_limiter/
• Complexity: Medium-High

Functionality

• Fixed-window rate limiting with configurable time windows
• Multi-dimensional rate limiting (by user, tenant, tool)
• In-memory storage with cleanup for expired windows
• Configurable rate limit policies and error responses
• Rate limit headers for client awareness

Hook Integration

• Primary Hooks: prompt_pre_fetch, tool_pre_invoke
• Purpose: Prevent API abuse and ensure fair resource usage
• Behavior: Block requests that exceed configured rate limits

Configuration Schema

plugins:
  - name: "RateLimiter"
    kind: "plugins.rate_limiter.limiter.RateLimiterPlugin"
    description: "Fixed-window in-memory rate limiting by user/tenant/tool"
    version: "0.1.0"
    hooks: ["prompt_pre_fetch", "tool_pre_invoke"]
    mode: "enforce"
    priority: 25
    config:
      # Rate limiting policies
      policies:
        by_user: "60/m"      # 60 requests per minute per user
        by_tenant: "600/m"   # 600 requests per minute per tenant
        by_ip: "100/m"       # 100 requests per minute per IP
        by_tool:
          web_scraper: "10/m"
          api_caller: "30/m"
          database_query: "20/m"
        global: "1000/m"     # Global rate limit
      
      # Window configuration
      window:
        type: "fixed"        # fixed | sliding
        size: 60            # Window size in seconds
        cleanup_interval: 300 # Cleanup expired windows every 5 minutes
      
      # Rate limit key generation
      key_generation:
        include_user_id: true
        include_tenant_id: true
        include_ip_address: true
        include_user_agent: false
        custom_headers: ["X-API-Key"]
      
      # Response handling
      response:
        status_code: 429
        error_message: "Rate limit exceeded. Try again in {reset_time} seconds."
        include_headers: true
        headers:
          retry_after: true
          remaining: true
          reset_time: true
      
      # Burst handling
      burst_protection:
        enabled: true
        burst_multiplier: 2.0  # Allow 2x normal rate for short bursts
        burst_window: 10       # 10-second burst window
      
      # Exemptions
      exemptions:
        user_roles: ["admin", "service_account"]
        ip_whitelist: ["127.0.0.1", "10.0.0.0/8"]
        bypass_tools: ["health_check", "metrics"]
      
      # Storage settings
      storage:
        max_keys: 10000
        memory_limit_mb: 50
        persistence: false
      
      # Monitoring
      monitoring:
        log_violations: true
        metrics_enabled: true
        alert_threshold: 0.9  # Alert when 90% of limit used

Acceptance Criteria

• Plugin implements RateLimiterPlugin class
• Fixed-window rate limiting implementation
• Multi-dimensional limiting (user, tenant, tool, IP)
• In-memory storage with automatic cleanup
• Configurable rate limit policies
• Rate limit headers in responses
• Burst protection mechanism
• Exemption management
• Comprehensive monitoring and alerts
• Plugin manifest and documentation created
• Unit tests with >95% coverage
• Performance tests for high-throughput scenarios

Priority

High - Critical for production deployment security