[codex] Enforce shared relay admission limits (BUZZ-SEC-019)#1917
Open
jmecom wants to merge 2 commits into
Open
[codex] Enforce shared relay admission limits (BUZZ-SEC-019)#1917jmecom wants to merge 2 commits into
jmecom wants to merge 2 commits into
Conversation
d709150 to
e0ea0d3
Compare
tlongwell-block
approved these changes
Jul 16, 2026
e0ea0d3 to
1210ec2
Compare
1210ec2 to
0fd928b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
The relay now applies its shared Redis-backed admission limits to authenticated WebSocket
EVENT,REQ, andCOUNTmessages and to the NIP-98/events,/query, and/countendpoints. WebSocket traffic receives a rate-limit notice, HTTP traffic receives429, and both paths reject work when the shared limiter is unavailable.The limits distinguish ordinary request volume from event publication, retain the existing human-versus-agent message budgets, and emit rejection metrics by transport and reason.
Why
Buzz already defined tenant- and principal-scoped limits, but the general Redis limiter was never connected to relay admission. A member could therefore consume shared database and relay capacity without hitting those configured budgets.
Impact
Normal authenticated relay work is now bounded consistently across HTTP and WebSocket transports. Redis availability becomes part of this admission boundary: failure to evaluate a shared limit fails closed instead of silently bypassing it.
Testing
cargo test -p buzz-relay admission::tests --libAddresses BUZZ-SEC-019.