Pulse/cmd
rcourtman 885a62e96b feat(security): Implement range-based rate limiting
Prevents multi-UID rate limit bypass attacks from containers. Previously,
attackers could create multiple users in a container (each mapped to
unique host UIDs 100000-165535) to bypass per-UID rate limits.

Implementation:
- Automatic detection of ID-mapped UID ranges from /etc/subuid and /etc/subgid
- Rate limits applied per-range for container UIDs
- Rate limits applied per-UID for host UIDs (backwards compatible)
- identifyPeer() checks if BOTH UID AND GID are in mapped ranges
- Metrics show peer='range:100000-165535' or peer='uid:0'

Security benefit: Entire container limited as single entity, preventing
100+ UIDs from bypassing rate controls.

New metrics:
- pulse_proxy_limiter_rejections_total{peer,reason}
- pulse_proxy_limiter_penalties_total{peer,reason}
- pulse_proxy_global_concurrency_inflight

Related to security audit 2025-11-07.

Co-authored-by: Codex <codex@openai.com>
2025-11-07 17:08:45 +00:00
..
hashpw Add hashpw utility for generating password hashes 2025-11-06 16:46:56 +00:00
pulse Improve bootstrap token UX for easier discovery 2025-11-06 17:29:49 +00:00
pulse-docker-agent Improve Alpine Linux support and agent startup validation 2025-11-05 19:01:09 +00:00
pulse-host-agent Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
pulse-sensor-proxy feat(security): Implement range-based rate limiting 2025-11-07 17:08:45 +00:00