feat(server): add rate-limited API auth and audit logs

Author: haasonsaas

Cargo.lock

@@ -54,6 +54,7 @@ otel = ["opentelemetry", "opentelemetry-otlp", "opentelemetry_sdk", "tracing-ope
 [dev-dependencies]
 tempfile = "3.8"
 mockito = "1.2"
+tower = "0.5"
 
 [profile.release]
 lto = "thin"

Cargo.toml

@@ -122,7 +122,7 @@ This roadmap is derived from deep research into Greptile's public docs, blog, MC
 77. [x] Add an MCP server for DiffScope with review, analytics, and rule-management tools.
 78. [x] Add reusable agent skills/workflows for checking PR readiness and running fix loops.
 79. [x] Add signed webhook or event-stream integration for downstream automation consumers.
-80. [ ] Add rate-limited API auth and audit trails for automation-heavy deployments.
+80. [x] Add rate-limited API auth and audit trails for automation-heavy deployments.
 
 ## 9. Infra, Self-Hosting, and Enterprise Operations
 

TODO.md

@@ -127,6 +127,19 @@ pub struct AutomationConfig {
     pub webhook_secret: Option<String>,
 }
 
+pub(crate) const DEFAULT_SERVER_RATE_LIMIT_PER_MINUTE: u32 = 60;
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct ServerSecurityConfig {
+    /// Shared API key required for protected server mutations when configured.
+    #[serde(default, rename = "server_api_key")]
+    pub api_key: Option<String>,
+
+    /// Maximum protected API mutations allowed per minute when auth is enabled.
+    #[serde(default, rename = "server_rate_limit_per_minute")]
+    pub rate_limit_per_minute: Option<u32>,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AgentConfig {
     /// Enable agent loop for iterative tool-calling review (default false).
@@ -467,6 +480,9 @@ pub struct Config {
     #[serde(default, flatten)]
     pub automation: AutomationConfig,
 
+    #[serde(default, flatten)]
+    pub server_security: ServerSecurityConfig,
+
     /// When true, run separate specialized LLM passes for security, correctness,
     /// and style instead of a single monolithic review prompt.
     #[serde(default = "default_false")]
@@ -670,6 +686,7 @@ impl Default for Config {
             providers: HashMap::new(),
             github: GitHubConfig::default(),
             automation: AutomationConfig::default(),
+            server_security: ServerSecurityConfig::default(),
             multi_pass_specialized: false,
             agent: AgentConfig::default(),
             verification: VerificationConfig::default(),
@@ -856,6 +873,23 @@ impl Config {
                 .ok()
                 .filter(|s| !s.trim().is_empty());
         }
+        if self.server_security.api_key.is_none() {
+            self.server_security.api_key = std::env::var("DIFFSCOPE_SERVER_API_KEY")
+                .ok()
+                .filter(|s| !s.trim().is_empty());
+        }
+        if self.server_security.rate_limit_per_minute.is_none() {
+            self.server_security.rate_limit_per_minute =
+                std::env::var("DIFFSCOPE_SERVER_RATE_LIMIT_PER_MINUTE")
+                    .ok()
+                    .and_then(|raw| raw.trim().parse::<u32>().ok())
+                    .filter(|value| *value > 0);
+        }
+        if self.server_security.api_key.is_some()
+            && self.server_security.rate_limit_per_minute.unwrap_or(0) == 0
+        {
+            self.server_security.rate_limit_per_minute = Some(DEFAULT_SERVER_RATE_LIMIT_PER_MINUTE);
+        }
 
         validate_optional_http_url(&mut self.base_url, "base_url");
         validate_optional_http_url(&mut self.automation.webhook_url, "automation_webhook_url");
@@ -1811,6 +1845,39 @@ mod tests {
         assert!(config.automation.webhook_url.is_none());
     }
 
+    #[test]
+    fn normalize_defaults_server_rate_limit_when_api_key_present() {
+        let mut config = Config {
+            server_security: ServerSecurityConfig {
+                api_key: Some("shared-key".to_string()),
+                rate_limit_per_minute: None,
+            },
+            ..Config::default()
+        };
+
+        config.normalize();
+
+        assert_eq!(
+            config.server_security.rate_limit_per_minute,
+            Some(DEFAULT_SERVER_RATE_LIMIT_PER_MINUTE)
+        );
+    }
+
+    #[test]
+    fn normalize_preserves_explicit_server_rate_limit() {
+        let mut config = Config {
+            server_security: ServerSecurityConfig {
+                api_key: Some("shared-key".to_string()),
+                rate_limit_per_minute: Some(120),
+            },
+            ..Config::default()
+        };
+
+        config.normalize();
+
+        assert_eq!(config.server_security.rate_limit_per_minute, Some(120));
+    }
+
     #[test]
     fn normalize_clamps_max_tokens_above_limit() {
         let mut config = Config {

src/config.rs

@@ -230,7 +230,8 @@ mod tests {
             "automation_webhook_secret".to_string(),
             serde_json::json!("secret6"),
         );
-        obj.insert("vault_token".to_string(), serde_json::json!("secret7"));
+        obj.insert("server_api_key".to_string(), serde_json::json!("secret7"));
+        obj.insert("vault_token".to_string(), serde_json::json!("secret8"));
         mask_config_secrets(&mut obj);
         assert_eq!(obj.get("api_key").unwrap(), &serde_json::json!("***"));
         assert_eq!(obj.get("github_token").unwrap(), &serde_json::json!("***"));
@@ -250,6 +251,10 @@ mod tests {
             obj.get("automation_webhook_secret").unwrap(),
             &serde_json::json!("***")
         );
+        assert_eq!(
+            obj.get("server_api_key").unwrap(),
+            &serde_json::json!("***")
+        );
         assert_eq!(obj.get("vault_token").unwrap(), &serde_json::json!("***"));
     }
 

src/server/api.rs

@@ -133,6 +133,7 @@ pub(crate) fn mask_config_secrets(obj: &mut serde_json::Map<String, serde_json::
         "github_private_key",
         "github_webhook_secret",
         "automation_webhook_secret",
+        "server_api_key",
         "vault_token",
     ] {
         if obj.get(*key).and_then(|v| v.as_str()).is_some() {