Summary
Add per-identity rate limiting keyed on JWT sub claim, in addition to the existing per-IP rate limiting.
Context
Per-IP rate limiting is insufficient for cloud CI/CD pipelines that use dynamic IPs. A compromised publisher identity could submit evidence from distributed IPs, bypassing per-IP limits. Since Tessera is append-only, log pollution from a compromised identity is irrevocable.
Acceptance Criteria
- Per-identity rate limiter keyed on
claims.Sub after JWT verification
- Configurable limit (e.g.,
INGEST_RATE_LIMIT_PER_IDENTITY requests/hour)
- Stricter than per-IP limits (identity is the scarcer resource)
Summary
Add per-identity rate limiting keyed on JWT
subclaim, in addition to the existing per-IP rate limiting.Context
Per-IP rate limiting is insufficient for cloud CI/CD pipelines that use dynamic IPs. A compromised publisher identity could submit evidence from distributed IPs, bypassing per-IP limits. Since Tessera is append-only, log pollution from a compromised identity is irrevocable.
Acceptance Criteria
claims.Subafter JWT verificationINGEST_RATE_LIMIT_PER_IDENTITYrequests/hour)