feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration

- Add RateLimitConfig for configuration management with YAML binding support.
- Introduce RateLimitDecision to encapsulate the result of rate limit checks.
- Implement RateLimitMetrics for OpenTelemetry metrics tracking.
- Create RateLimitMiddleware for enforcing rate limits on incoming requests.
- Develop RateLimitService to orchestrate instance and environment rate limit checks.
- Add RateLimitServiceCollectionExtensions for dependency injection registration.

datasets/reachability/ground-truth/basic/gt-0001/main.c

@@ -0,0 +1,18 @@
+// gt-0001: Direct call to vulnerable sink from main
+// Expected: REACHABLE (tier: executed)
+// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
+
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+    char buffer[32];
+    
+    if (argc > 1) {
+        // Vulnerable: strcpy without bounds checking
+        strcpy(buffer, argv[1]);  // SINK: CWE-120
+        printf("Input: %s\n", buffer);
+    }
+    
+    return 0;
+}

datasets/reachability/ground-truth/basic/gt-0001/sample.manifest.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0001",
+  "version": "1.0.0",
+  "category": "basic",
+  "description": "Direct call to vulnerable sink from main - REACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": true,
+    "tier": "executed",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "strcpy",
+    "vulnerability": "CWE-120"
+  },
+  "callChain": [
+    {"function": "main", "file": "main.c", "line": 5},
+    {"function": "strcpy", "file": "<libc>", "line": null}
+  ],
+  "annotations": {
+    "notes": "Simplest reachable case - direct call from entrypoint to vulnerable function",
+    "difficulty": "trivial"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/basic/gt-0002/main.c

@@ -0,0 +1,22 @@
+// gt-0002: Two-hop call chain to vulnerable sink
+// Expected: REACHABLE (tier: executed)
+// Vulnerability: CWE-134 (Format String)
+
+#include <stdio.h>
+#include <string.h>
+
+void format_message(const char *user_input, char *output) {
+    // Vulnerable: format string from user input
+    sprintf(output, user_input);  // SINK: CWE-134
+}
+
+int main(int argc, char *argv[]) {
+    char buffer[256];
+    
+    if (argc > 1) {
+        format_message(argv[1], buffer);
+        printf("Result: %s\n", buffer);
+    }
+    
+    return 0;
+}

datasets/reachability/ground-truth/basic/gt-0002/sample.manifest.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0002",
+  "version": "1.0.0",
+  "category": "basic",
+  "description": "Two-hop call chain to vulnerable sink - REACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": true,
+    "tier": "executed",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "sprintf",
+    "vulnerability": "CWE-134"
+  },
+  "callChain": [
+    {"function": "main", "file": "main.c", "line": 15},
+    {"function": "format_message", "file": "main.c", "line": 7},
+    {"function": "sprintf", "file": "<libc>", "line": null}
+  ],
+  "annotations": {
+    "notes": "Two-hop chain: main -> helper -> sink",
+    "difficulty": "easy"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/basic/gt-0003/main.c

@@ -0,0 +1,25 @@
+// gt-0003: Three-hop call chain with command injection
+// Expected: REACHABLE (tier: executed)
+// Vulnerability: CWE-78 (OS Command Injection)
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void execute_command(const char *cmd) {
+    // Vulnerable: system call with user input
+    system(cmd);  // SINK: CWE-78
+}
+
+void process_input(const char *input) {
+    char command[256];
+    snprintf(command, sizeof(command), "echo %s", input);
+    execute_command(command);
+}
+
+int main(int argc, char *argv[]) {
+    if (argc > 1) {
+        process_input(argv[1]);
+    }
+    return 0;
+}

datasets/reachability/ground-truth/basic/gt-0003/sample.manifest.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0003",
+  "version": "1.0.0",
+  "category": "basic",
+  "description": "Three-hop call chain with multiple sinks - REACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": true,
+    "tier": "executed",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "system",
+    "vulnerability": "CWE-78"
+  },
+  "callChain": [
+    {"function": "main", "file": "main.c", "line": 20},
+    {"function": "process_input", "file": "main.c", "line": 12},
+    {"function": "execute_command", "file": "main.c", "line": 6},
+    {"function": "system", "file": "<libc>", "line": null}
+  ],
+  "annotations": {
+    "notes": "Three-hop chain demonstrating command injection path",
+    "difficulty": "easy"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/basic/gt-0004/main.c

@@ -0,0 +1,37 @@
+// gt-0004: Function pointer call to sink
+// Expected: REACHABLE (tier: executed)
+// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
+
+#include <stdio.h>
+#include <string.h>
+
+typedef void (*copy_func_t)(char *, const char *);
+
+void copy_data(char *dest, const char *src) {
+    // Vulnerable: strcpy without bounds check
+    strcpy(dest, src);  // SINK: CWE-120
+}
+
+void safe_copy(char *dest, const char *src) {
+    strncpy(dest, src, 31);
+    dest[31] = '\0';
+}
+
+int main(int argc, char *argv[]) {
+    char buffer[32];
+    copy_func_t copier;
+    
+    // Function pointer assignment - harder for static analysis
+    if (argc > 2 && argv[2][0] == 's') {
+        copier = safe_copy;
+    } else {
+        copier = copy_data;  // Vulnerable path selected
+    }
+    
+    if (argc > 1) {
+        copier(buffer, argv[1]);  // Indirect call
+        printf("Result: %s\n", buffer);
+    }
+    
+    return 0;
+}

datasets/reachability/ground-truth/basic/gt-0004/sample.manifest.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0004",
+  "version": "1.0.0",
+  "category": "basic",
+  "description": "Function pointer call to sink - REACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": true,
+    "tier": "executed",
+    "confidence": 0.9
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "strcpy",
+    "vulnerability": "CWE-120"
+  },
+  "callChain": [
+    {"function": "main", "file": "main.c", "line": 18},
+    {"function": "<function_ptr>", "file": "main.c", "line": 19},
+    {"function": "copy_data", "file": "main.c", "line": 8},
+    {"function": "strcpy", "file": "<libc>", "line": null}
+  ],
+  "annotations": {
+    "notes": "Indirect call via function pointer - harder for static analysis",
+    "difficulty": "medium"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/basic/gt-0005/main.c

@@ -0,0 +1,31 @@
+// gt-0005: Recursive function with sink
+// Expected: REACHABLE (tier: executed)
+// Vulnerability: CWE-134 (Format String)
+
+#include <stdio.h>
+#include <string.h>
+
+char result[1024];
+
+void process_recursive(const char *input, int depth) {
+    if (depth <= 0 || strlen(input) == 0) {
+        return;
+    }
+    
+    // Vulnerable: format string in recursive context
+    sprintf(result + strlen(result), input);  // SINK: CWE-134
+    
+    // Recurse with modified input
+    process_recursive(input + 1, depth - 1);
+}
+
+int main(int argc, char *argv[]) {
+    result[0] = '\0';
+    
+    if (argc > 1) {
+        process_recursive(argv[1], 5);
+        printf("Result: %s\n", result);
+    }
+    
+    return 0;
+}

datasets/reachability/ground-truth/basic/gt-0005/sample.manifest.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0005",
+  "version": "1.0.0",
+  "category": "basic",
+  "description": "Recursive function with sink - REACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": true,
+    "tier": "executed",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "sprintf",
+    "vulnerability": "CWE-134"
+  },
+  "callChain": [
+    {"function": "main", "file": "main.c", "line": 22},
+    {"function": "process_recursive", "file": "main.c", "line": 14},
+    {"function": "process_recursive", "file": "main.c", "line": 14},
+    {"function": "sprintf", "file": "<libc>", "line": null}
+  ],
+  "annotations": {
+    "notes": "Recursive call pattern - tests loop/recursion handling",
+    "difficulty": "medium"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/unreachable/gt-0011/main.c

@@ -0,0 +1,25 @@
+// gt-0011: Dead code - function never called
+// Expected: UNREACHABLE (tier: imported)
+// Vulnerability: CWE-120 (Buffer Copy without Checking Size)
+
+#include <stdio.h>
+#include <string.h>
+
+// This function is NEVER called - dead code
+void vulnerable_function(const char *input) {
+    char buffer[32];
+    strcpy(buffer, input);  // SINK: CWE-120 (but unreachable)
+    printf("Value: %s\n", buffer);
+}
+
+void safe_function(const char *input) {
+    printf("Safe: %.31s\n", input);
+}
+
+int main(int argc, char *argv[]) {
+    if (argc > 1) {
+        // Only safe_function is called
+        safe_function(argv[1]);
+    }
+    return 0;
+}

datasets/reachability/ground-truth/unreachable/gt-0011/sample.manifest.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0011",
+  "version": "1.0.0",
+  "category": "unreachable",
+  "description": "Dead code - function never called - UNREACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": false,
+    "tier": "imported",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "strcpy",
+    "vulnerability": "CWE-120"
+  },
+  "callChain": null,
+  "annotations": {
+    "notes": "Vulnerable function exists but is never called from any reachable path",
+    "difficulty": "trivial",
+    "reason": "dead_code"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/unreachable/gt-0012/main.c

@@ -0,0 +1,28 @@
+// gt-0012: Compile-time constant false condition
+// Expected: UNREACHABLE (tier: imported)
+// Vulnerability: CWE-120 (Buffer Overflow)
+
+#include <stdio.h>
+#include <string.h>
+
+#define DEBUG_MODE 0  // Compile-time constant
+
+int main(int argc, char *argv[]) {
+    char buffer[64];
+    
+    // This branch is constant false - will be optimized out
+    if (DEBUG_MODE) {
+        // Vulnerable code in dead branch
+        gets(buffer);  // SINK: CWE-120 (but unreachable)
+        printf("Debug: %s\n", buffer);
+    } else {
+        // Safe path always taken
+        if (argc > 1) {
+            strncpy(buffer, argv[1], sizeof(buffer) - 1);
+            buffer[sizeof(buffer) - 1] = '\0';
+            printf("Input: %s\n", buffer);
+        }
+    }
+    
+    return 0;
+}

datasets/reachability/ground-truth/unreachable/gt-0012/sample.manifest.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0012",
+  "version": "1.0.0",
+  "category": "unreachable",
+  "description": "Compile-time constant false condition - UNREACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": false,
+    "tier": "imported",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "gets",
+    "vulnerability": "CWE-120"
+  },
+  "callChain": null,
+  "annotations": {
+    "notes": "Sink is behind a constant false condition that will be optimized out",
+    "difficulty": "easy",
+    "reason": "constant_false"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}

datasets/reachability/ground-truth/unreachable/gt-0013/main.c

@@ -0,0 +1,27 @@
+// gt-0013: Ifdef-excluded code path
+// Expected: UNREACHABLE (tier: imported)
+// Vulnerability: CWE-78 (OS Command Injection)
+// Compile with: gcc -DPRODUCTION main.c (LEGACY_SHELL not defined)
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define PRODUCTION
+
+void process_command(const char *cmd) {
+#ifdef LEGACY_SHELL
+    // This code is excluded when LEGACY_SHELL is not defined
+    system(cmd);  // SINK: CWE-78 (but unreachable - ifdef excluded)
+#else
+    // Safe path: just print, don't execute
+    printf("Would execute: %s\n", cmd);
+#endif
+}
+
+int main(int argc, char *argv[]) {
+    if (argc > 1) {
+        process_command(argv[1]);
+    }
+    return 0;
+}

datasets/reachability/ground-truth/unreachable/gt-0013/sample.manifest.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://stellaops.io/schemas/sample-manifest.v1.json",
+  "sampleId": "gt-0013",
+  "version": "1.0.0",
+  "category": "unreachable",
+  "description": "Ifdef-excluded code path - UNREACHABLE",
+  "language": "c",
+  "expectedResult": {
+    "reachable": false,
+    "tier": "imported",
+    "confidence": 1.0
+  },
+  "source": {
+    "files": ["main.c"],
+    "entrypoint": "main",
+    "sink": "system",
+    "vulnerability": "CWE-78"
+  },
+  "callChain": null,
+  "annotations": {
+    "notes": "Vulnerable code excluded by preprocessor directive",
+    "difficulty": "easy",
+    "reason": "preprocessor_excluded"
+  },
+  "createdAt": "2025-12-17T00:00:00Z",
+  "createdBy": "corpus-team"
+}