diff --git a/packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap b/packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap
index d38ce4a1..2ffdee6c 100644
--- a/packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap
+++ b/packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap
@@ -18,6 +18,7 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
     "permissions_module",
     "phone_numbers_module",
     "profiles_module",
+    "rate_limits_module",
     "rls_module",
     "secrets_module",
     "sessions_module",
@@ -31,8 +32,8 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
 
 exports[`db_meta_modules should verify all module tables exist in metaschema_modules_public schema 1`] = `
 {
-  "moduleTablesCount": 22,
-  "totalTables": 28,
+  "moduleTablesCount": 23,
+  "totalTables": 29,
 }
 `;
 
@@ -87,13 +88,13 @@ exports[`db_meta_modules should verify emails_module table structure 1`] = `
 
 exports[`db_meta_modules should verify module table structures have database_id foreign keys 1`] = `
 {
-  "constraintCount": 64152,
+  "constraintCount": 69575,
 }
 `;
 
 exports[`db_meta_modules should verify module tables have proper foreign key relationships 1`] = `
 {
-  "constraintCount": 92266,
+  "constraintCount": 99730,
   "foreignTables": [
     "database",
     "field",
@@ -167,7 +168,7 @@ exports[`db_meta_modules should verify sessions_module table structure 1`] = `
       "is_nullable": "NO",
     },
     {
-      "column_default": "'app_auth_settings'::text",
+      "column_default": "'app_settings_auth'::text",
       "column_name": "auth_settings_table",
       "data_type": "text",
       "is_nullable": "NO",
@@ -180,7 +181,7 @@ exports[`db_meta_modules should verify specific module table column defaults 1`]
 {
   "sessionsDefaults": [
     {
-      "column_default": "'app_auth_settings'::text",
+      "column_default": "'app_settings_auth'::text",
       "column_name": "auth_settings_table",
     },
     {
diff --git a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
new file mode 100644
index 00000000..b53e8927
--- /dev/null
+++ b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
@@ -0,0 +1,41 @@
+-- Deploy schemas/metaschema_modules_public/tables/rate_limits_module/table to pg
+
+-- requires: schemas/metaschema_modules_public/schema
+
+BEGIN;
+
+CREATE TABLE metaschema_modules_public.rate_limits_module (
+    id uuid PRIMARY KEY DEFAULT uuidv7(),
+    database_id uuid NOT NULL,
+
+    --
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+    rate_limit_settings_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    ip_rate_limits_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    rate_limits_table_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    rate_limit_settings_table text NOT NULL DEFAULT 'app_settings_rate_limit',
+    ip_rate_limits_table text NOT NULL DEFAULT 'auth_ip_rate_limits',
+    rate_limits_table text NOT NULL DEFAULT 'auth_rate_limits',
+    --
+
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
+    CONSTRAINT rate_limit_settings_table_fkey FOREIGN KEY (rate_limit_settings_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT ip_rate_limits_table_fkey FOREIGN KEY (ip_rate_limits_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT rate_limits_table_fkey FOREIGN KEY (rate_limits_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+
+    --
+    CONSTRAINT rate_limits_module_database_id_uniq UNIQUE(database_id)
+);
+
+CREATE INDEX rate_limits_module_database_id_idx ON metaschema_modules_public.rate_limits_module ( database_id );
+
+COMMENT ON CONSTRAINT rate_limit_settings_table_fkey
+     ON metaschema_modules_public.rate_limits_module IS E'@fieldName rateLimitSettingsTableByRateLimitSettingsTableId';
+COMMENT ON CONSTRAINT ip_rate_limits_table_fkey
+     ON metaschema_modules_public.rate_limits_module IS E'@fieldName ipRateLimitsTableByIpRateLimitsTableId';
+COMMENT ON CONSTRAINT rate_limits_table_fkey
+     ON metaschema_modules_public.rate_limits_module IS E'@fieldName rateLimitsTableByRateLimitsTableId';
+
+COMMIT;
diff --git a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/sessions_module/table.sql b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/sessions_module/table.sql
index ae23470a..c1ffb797 100644
--- a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/sessions_module/table.sql
+++ b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/sessions_module/table.sql
@@ -18,7 +18,7 @@ CREATE TABLE metaschema_modules_public.sessions_module (
     sessions_default_expiration interval NOT NULL DEFAULT '30 days'::interval,
     sessions_table text NOT NULL DEFAULT 'sessions',
     session_credentials_table text NOT NULL DEFAULT 'session_credentials',
-    auth_settings_table text NOT NULL DEFAULT 'app_auth_settings',
+    auth_settings_table text NOT NULL DEFAULT 'app_settings_auth',
     --
 
     CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
diff --git a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/storage_module/table.sql b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/storage_module/table.sql
index e5b057da..7b0977be 100644
--- a/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/storage_module/table.sql
+++ b/packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/storage_module/table.sql
@@ -25,6 +25,14 @@ CREATE TABLE metaschema_modules_public.storage_module (
     -- Entity table for RLS (users table, since users and orgs share it)
     entity_table_id uuid NULL,
 
+    -- S3 connection config (NULL = use global env/plugin defaults)
+    endpoint text NULL,                          -- S3-compatible API endpoint URL (MinIO, R2, DO Spaces, GCS, etc.)
+    public_url_prefix text NULL,                 -- Public URL prefix for generating download URLs (e.g., CDN domain)
+    provider text NULL,                          -- Storage provider type: 'minio', 's3', 'gcs', etc.
+
+    -- CORS configuration (NULL = use plugin defaults)
+    allowed_origins text[] NULL,                 -- Default CORS origins for all buckets in this database (e.g., ARRAY['https://app.example.com']). ['*'] = open/CDN mode.
+
     -- Per-database configurable settings (NULL = use plugin defaults)
     upload_url_expiry_seconds integer NULL,      -- Presigned PUT URL expiry (default: 900 = 15 min)
     download_url_expiry_seconds integer NULL,    -- Presigned GET URL expiry (default: 3600 = 1 hour)
diff --git a/packages/metaschema-modules/pgpm.plan b/packages/metaschema-modules/pgpm.plan
index 4059b36d..275d5c30 100644
--- a/packages/metaschema-modules/pgpm.plan
+++ b/packages/metaschema-modules/pgpm.plan
@@ -36,3 +36,4 @@ schemas/metaschema_modules_public/tables/blueprint_template/table [schemas/metas
 schemas/metaschema_modules_public/tables/blueprint/table [schemas/metaschema_modules_public/schema schemas/metaschema_modules_public/tables/blueprint_template/table] 2026-03-20T00:00:01Z Constructive <developers@constructive.io> # add blueprint table for owned executable blueprints
 schemas/metaschema_modules_public/tables/blueprint_construction/table [schemas/metaschema_modules_public/schema schemas/metaschema_modules_public/tables/blueprint/table] 2026-03-31T00:00:00Z Constructive <developers@constructive.io> # add blueprint_construction table for construction state tracking
 schemas/metaschema_modules_public/tables/storage_module/table [schemas/metaschema_modules_public/schema] 2026-03-24T00:00:00Z devin <devin@cognition.ai> # add storage_module config table for files and buckets
+schemas/metaschema_modules_public/tables/rate_limits_module/table [schemas/metaschema_modules_public/schema] 2026-04-15T00:00:00Z devin <devin@cognition.ai> # add rate_limits_module for centralized throttle configuration
diff --git a/packages/metaschema-modules/revert/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql b/packages/metaschema-modules/revert/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
new file mode 100644
index 00000000..9b9015d7
--- /dev/null
+++ b/packages/metaschema-modules/revert/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
@@ -0,0 +1,7 @@
+-- Revert schemas/metaschema_modules_public/tables/rate_limits_module/table from pg
+
+BEGIN;
+
+DROP TABLE metaschema_modules_public.rate_limits_module;
+
+COMMIT;
diff --git a/packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql b/packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
new file mode 100644
index 00000000..86e7fe89
--- /dev/null
+++ b/packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/rate_limits_module/table.sql
@@ -0,0 +1,7 @@
+-- Verify schemas/metaschema_modules_public/tables/rate_limits_module/table on pg
+
+BEGIN;
+
+SELECT verify_table ('metaschema_modules_public.rate_limits_module');
+
+ROLLBACK;