feat(rate-limiting): Implement core rate limiting functionality with configuration, decision-making, metrics, middleware, and service registration

- Add RateLimitConfig for configuration management with YAML binding support. - Introduce RateLimitDecision to encapsulate the result of rate limit checks. - Implement RateLimitMetrics for OpenTelemetry metrics tracking. - Create RateLimitMiddleware for enforcing rate limits on incoming requests. - Develop RateLimitService to orchestrate instance and environment rate limit checks. - Add RateLimitServiceCollectionExtensions for dependency injection registration.
2025-12-17 18:02:37 +02:00
parent 394b57f6bf
commit 8bbfe4d2d2
211 changed files with 47179 additions and 1590 deletions
--- a/src/Excititor/AGENTS.md
+++ b/src/Excititor/AGENTS.md
@@ -19,6 +19,42 @@
 - `docs/modules/excititor/operations/chunk-api-user-guide.md`
 - `docs/modules/excititor/schemas/vex-chunk-api.yaml`
 - `docs/modules/evidence-locker/attestation-contract.md`
+- `docs/product-advisories/14-Dec-2025 - Smart-Diff Technical Reference.md` (for VEX emission contracts)
+
+## VEX Emission Contracts (Sprint 3500)
+
+The Excititor module handles VEX candidate emission for Smart-Diff:
+
+### Namespace
+- `StellaOps.Excititor.VexEmission` - VEX candidate generation
+
+### Key Types
+- `VexCandidateEmitter` - Generates VEX candidate statements
+- `VexCandidate` - A VEX statement candidate for review
+- `VexEmissionRule` - Rule matching for VEX emission
+- `IVexCandidateRepository` - Storage for VEX candidates
+
+### VEX Emission Triggers
+| Trigger | Description | VEX Status |
+|---------|-------------|------------|
+| `sink_unreachable` | Vulnerability requires sink not present | `not_affected` candidate |
+| `entry_unreachable` | Vulnerable entry point unreachable | `not_affected` candidate |
+| `api_absent` | Vulnerable API not called | `not_affected` candidate |
+| `package_removed` | Vulnerable package removed | `fixed` candidate |
+| `version_upgraded` | Package upgraded past fix version | `fixed` candidate |
+| `patch_applied` | Security patch detected | `fixed` candidate |
+
+### VEX Candidate Workflow
+1. Smart-Diff detects reachability flip or package change
+2. `VexCandidateEmitter` evaluates emission rules
+3. Matching rules generate `VexCandidate` with justification
+4. Candidates stored via `IVexCandidateRepository`
+5. Candidates surfaced in triage UI for review/approval
+
+### Integration Points
+- Scanner SmartDiff triggers VEX emission on reachability changes
+- Candidates stored with `SmartDiffPredicate` reference for traceability
+- Approved candidates become formal VEX statements via Attestor

 ## Working Agreements
 - Determinism: canonical JSON ordering; stable pagination; UTC ISO-8601 timestamps; sort chunk edges deterministically.