up

2025-10-12 20:37:18 +03:00
parent 016c5a3fe7
commit d3a98326d1
306 changed files with 21409 additions and 4449 deletions
--- a/docs/assets/authority/authority-rate-limit-flow.svg
+++ b/docs/assets/authority/authority-rate-limit-flow.svg
@@ -0,0 +1,105 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1180 400" role="img">
+  <title>Authority rate limit and lockout flow</title>
+  <defs>
+    <style>
+      .lane { fill: #0f172a; }
+      .lane text { fill: #e2e8f0; font: bold 18px "Segoe UI", sans-serif; }
+      .step { fill: #1f2937; stroke: #1e3a8a; stroke-width: 2; rx: 12; ry: 12; }
+      .step text { fill: #f8fafc; font: 15px "Segoe UI", sans-serif; }
+      .decision { fill: #0f766e; stroke: #0d9488; stroke-width: 2; rx: 12; ry: 12; }
+      .decision text { fill: #ecfeff; font: 15px "Segoe UI", sans-serif; }
+      .note { fill: #1e293b; font: italic 14px "Segoe UI", sans-serif; }
+    </style>
+    <marker id="arrow-blue" markerWidth="11" markerHeight="11" refX="10" refY="6" orient="auto">
+      <path d="M0,0 L11,6 L0,12 z" fill="#2563eb" />
+    </marker>
+    <marker id="arrow-green" markerWidth="11" markerHeight="11" refX="10" refY="6" orient="auto">
+      <path d="M0,0 L11,6 L0,12 z" fill="#0d9488" />
+    </marker>
+    <marker id="arrow-red" markerWidth="11" markerHeight="11" refX="10" refY="6" orient="auto">
+      <path d="M0,0 L11,6 L0,12 z" fill="#dc2626" />
+    </marker>
+  </defs>
+
+  <rect class="lane" x="40" y="20" width="160" height="40" rx="8" />
+  <text x="60" y="48">Client / App</text>
+  <rect class="lane" x="300" y="20" width="200" height="40" rx="8" />
+  <text x="320" y="48">Authority Host</text>
+  <rect class="lane" x="560" y="20" width="210" height="40" rx="8" />
+  <text x="580" y="48">Rate Limiter</text>
+  <rect class="lane" x="840" y="20" width="150" height="40" rx="8" />
+  <text x="860" y="48">Standard Plug-in</text>
+  <rect class="lane" x="1040" y="20" width="120" height="40" rx="8" />
+  <text x="1060" y="48">Credential Store</text>
+
+  <!-- Flow steps -->
+  <g transform="translate(40,90)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">POST /token request</text>
+    <text x="20" y="64">client_id + subject creds</text>
+  </g>
+
+  <g transform="translate(300,90)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Authority middleware</text>
+    <text x="20" y="64">enriches context tags</text>
+  </g>
+
+  <g transform="translate(580,90)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Rate limiter window</text>
+    <text x="20" y="64">client_id + IP keyed</text>
+  </g>
+
+  <g transform="translate(580,210)">
+    <rect class="decision" width="220" height="90" />
+    <text x="20" y="36">Quota exceeded?</text>
+    <text x="20" y="64">emit Retry-After &amp; tags</text>
+  </g>
+
+  <g transform="translate(580,330)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Quota OK</text>
+    <text x="20" y="64">pass remaining tokens</text>
+  </g>
+
+  <g transform="translate(840,210)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Verify credentials</text>
+    <text x="20" y="64">hash compare + audit tags</text>
+  </g>
+
+  <g transform="translate(1040,210)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Load lockout state</text>
+    <text x="20" y="64">deterministic counters</text>
+  </g>
+
+  <g transform="translate(840,330)">
+    <rect class="decision" width="220" height="90" />
+    <text x="20" y="36">Lockout threshold hit?</text>
+    <text x="20" y="64">follow dedup precedence</text>
+  </g>
+
+  <g transform="translate(300,330)">
+    <rect class="step" width="220" height="90" />
+    <text x="20" y="36">Issue tokens or errors</text>
+    <text x="20" y="64">include limiter metadata</text>
+  </g>
+
+  <!-- Arrows -->
+  <path d="M260,135 H300" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M520,135 H580" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M670,180 V210" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M670,300 V330" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M800,375 H840" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M960,255 H1040" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M960,375 H840" stroke="#0d9488" stroke-width="3" fill="none" marker-end="url(#arrow-green)" />
+  <path d="M670,255 H520" stroke="#dc2626" stroke-width="3" fill="none" marker-end="url(#arrow-red)" />
+  <path d="M520,375 H300" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+  <path d="M260,375 H40" stroke="#2563eb" stroke-width="3" fill="none" marker-end="url(#arrow-blue)" />
+
+  <!-- Notes -->
+  <text class="note" x="40" y="210">429 path → add `authority.client_id`, `authority.remote_ip` tags for dashboards.</text>
+  <text class="note" x="40" y="240">Lockout path → reuse precedence strategy from Feedser dedup (see DEDUP_CONFLICTS_RESOLUTION_ALGO.md).</text>
+</svg>