Add external API abuse controls

[metajinglun]

Summary

• Add env-driven anonymous rate limits, trusted request context, aggregate anonymous ceiling, emergency restriction gates, disabled-path kill switch, rate-limit headers, and restriction metrics.
• Document the lean operational model: Cloudflare covers normal edge per-IP abuse; the app layer focuses on trusted identity, aggregate anonymous pressure, and emergency backend protection.
• Fix additional-token account derivation for off-curve recipients and cover it with a regression test.

Verification

• git diff --check
• bun test tests/restriction.test.ts tests/rateLimit.test.ts tests/config.test.ts
• bun run build
• bun test
• Restricted-mode HTTP smoke: anonymous /api/tickers -> 503 SERVICE_RESTRICTED, trusted /api/tickers -> 200, /health -> 200

Notes

• Emergency controls remain env + restart only; no runtime admin endpoint is added.
• Restriction mode preserves trusted server-side access while shedding anonymous traffic.
• GLOBAL_RATE_LIMIT_MAX remains off by default and can be enabled when aggregate anonymous origin pressure matters.

Greptile Summary

This PR adds an abuse-control layer to the external API: anonymous and global rate limits (env-driven), a request-context middleware that validates API keys with timing-safe comparison, an emergency restriction mode that sheds anonymous traffic while preserving trusted and health access, and Prometheus metrics for restriction events. It also fixes getAssociatedTokenAddress to pass allowOwnerOffCurve=true for PDA recipients in the launchpad service.

• Rate limiting is refactored into src/middleware/rateLimit.ts with a check-then-charge design that prevents per-IP quota from being consumed by global-ceiling rejections; rate-limit headers (X-RateLimit-*, Retry-After) are now included on all responses.
• Restriction middleware (src/middleware/restriction.ts) gates on RESTRICTION_MODE and RESTRICTION_DISABLED_PATHS, always exempting /health, /api/health, and /metrics; controls are env + restart only with no runtime admin endpoint.
• Launchpad fix adds the missing allowOwnerOffCurve=true argument to getAssociatedTokenAddress and covers the regression with a new test.

Confidence Score: 5/5

Safe to merge; the new middleware layer is well-structured, tested, and the single finding is a minor path-matching edge case in an internal guard.

All three middleware pieces (client context, rate limiting, restriction) are logically correct and covered by tests. The rate limiter correctly implements check-before-charge to avoid phantom quota consumption. The timing-safe key comparison iterates all keys without early exit. The launchpad fix is small, targeted, and regression-tested. The only gap is that alwaysAllowedPaths uses prefix matching where exact matching was intended, but no current route collides with those prefixes, so it has no impact today.

src/middleware/restriction.ts — the alwaysAllowedPaths exact-vs-prefix matching issue is worth fixing before new routes are added near /health or /metrics.

Important Files Changed

Filename	Overview
src/middleware/restriction.ts	New emergency restriction middleware; logic is correct but alwaysAllowedPaths uses prefix matching instead of exact matching, which could silently exempt unintended paths.
src/middleware/rateLimit.ts	Refactored rate limiter with global anonymous ceiling, rate-limit headers, and check-then-charge ordering that correctly avoids burning per-IP quota on global-ceiling rejections.
src/middleware/clientContext.ts	New middleware to classify requests as anon/trusted; timing-safe key lookup iterates all keys without early exit, correctly addressing the previous review concern.
src/config.ts	Adds config for rate limit window, global rate limit, and restriction mode/paths; replaces inline parseInt calls with a validated parseInteger helper.
src/services/launchpadService.ts	Passes allowOwnerOffCurve=true to getAssociatedTokenAddress so PDA recipients no longer throw during token account derivation.
src/utils/timingSafe.ts	New utility that hashes both operands through SHA-256 before calling Node's timingSafeEqual, ensuring constant-time string comparison regardless of string length differences.
src/services/metricsService.ts	Adds Prometheus counter for restriction rejections (by reason label) and a gauge for current restriction mode; straightforward metric additions.
tests/services/launchpadService.test.ts	Adds a regression test that exercises the off-curve recipient path, verifying the token account address is derived with allowOwnerOffCurve=true.

_{Reviews (3): Last reviewed commit: "Trim duplicate edge controls from API sa..." | Re-trigger Greptile}

[github-actions]

Package Protection

• Lockfile + Socket scan: pass
• Repo guard: pass
• Phantom deps: pass

Repository Guard

Exact dependency versions

• Status: pass
• All dependencies, devDependencies, optionalDependencies, and peerDependencies use exact versions or workspace:*.

Package minimum age

• Status: pass
• All pinned external packages are at least 14 days old.

Sensitive wallet / program changes

• Status: warn
• Suspicious wallet routing, signing-path, or program-ID changes detected. This is a review hint, not a merge gate — CODEOWNERS + branch protection enforce the actual review requirement. Please take a closer look at the lines below.
• High-sensitivity files touched: src/config.ts, src/app.ts, src/services/launchpadService.ts
• Matching diff lines:
• tests/services/launchpadService.test.ts:18 Hardcoded Solana address or program literal; Public key construction change -> +const LAUNCH = new PublicKey('5FPGRzY9ArJFwY2Hp2y2eqMzVewyWCBox7esmpuZfCvE');
• tests/services/launchpadService.test.ts:19 Hardcoded Solana address or program literal; Public key construction change -> +const DAO = new PublicKey('11111111111111111111111111111111');
• tests/services/launchpadService.test.ts:59 Wallet or destination routing change -> + it('derives the additional-token account when the recipient is off-curve', async () => {
• tests/services/launchpadService.test.ts:61 Wallet or destination routing change -> + const [recipient] = PublicKey.findProgramAddressSync(
• tests/services/launchpadService.test.ts:62 Wallet or destination routing change -> + [Buffer.from('additional-recipient'), MINT.toBuffer()],
• tests/services/launchpadService.test.ts:65 Wallet or destination routing change -> + const expectedTokenAccount = await getAssociatedTokenAddress(MINT, recipient, true);
• tests/services/launchpadService.test.ts:82 Wallet or destination routing change -> + additionalTokensRecipient: recipient,
• tests/services/launchpadService.test.ts:90 Wallet or destination routing change -> + expect(breakdown.additionalTokenAllocation?.recipient.equals(recipient)).toBe(true);

Overall status: pass

Transitive supply-chain threats are covered by the Socket scanner (via @socketsecurity/bun-security-scanner in bunfig.toml), which runs on every bun install. This guard blocks merge on direct-dep pinning and age policy; the sensitive-diff section is a review hint, not a merge gate (CODEOWNERS handles the actual review requirement).