[Epic] Rate Limiting Standardization

[eoln]

Overview

Standardize rate limiting across the monorepo by extracting rate limiting into a centralized Worker service with Durable Objects. Implements both incoming (protect our resources) and outgoing (protect external APIs) rate limiting.

Background

• Current email service has in-memory rate limiter that resets on Worker restart
• No centralized solution - each service implements its own limiting
• No outgoing limits for external API calls (Resend, Anthropic, Stripe)
• Government APIs (CEIDG, REGON, KSeF) lack rate limiting

Architecture

• New Service: srv/rate-limiter/ - Cloudflare Worker with Durable Objects
• Shared Package: @eoln/rate-limiter - SDK client and middleware
• Token Bucket Algorithm: With Alarm API for efficient bulk refresh

DO Naming Scheme

Format: {stage}:{type}:{subject}:{policy}

Examples:

• dev:incoming:user:uuid-123:password_reset
• prod:outgoing:resend:a1b2c3d4e5f6 (hashed API key)
• prod:outgoing:ceidg:tenant_hash (government API)

Phases

1. Service Scaffold + Core DO (4h)
2. REST API + Policies (3h)
3. Shared Package + SDK (3h)
4. Email Service Migration (2h)
5. Government API Integration (4h)
6. CI/CD + Documentation (2h)
7. Additional Service Integration (3h)

Total Estimate: 21 hours (~3 days)

Research

See .claude/research/20260104-rate-limiting-standardization.md

PRP

See .claude/PRPs/draft/20260104-rate-limiting-standardization.md