feat: add configurable rate limiting

Rate limits now configurable via config.toml and ENV variables:
- New [rate_limit] config section with auth/upload/general settings
- ENV: NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}
- Rate limit configuration logged at startup
- Functions accept &RateLimitConfig instead of hardcoded values

nora-registry/src/config.rs

@@ -14,6 +14,8 @@ pub struct Config {
     pub pypi: PypiConfig,
     #[serde(default)]
     pub auth: AuthConfig,
+    #[serde(default)]
+    pub rate_limit: RateLimitConfig,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -137,6 +139,64 @@ impl Default for AuthConfig {
     }
 }
 
+/// Rate limiting configuration
+///
+/// Controls request rate limits for different endpoint types.
+///
+/// # Example
+/// ```toml
+/// [rate_limit]
+/// auth_rps = 1
+/// auth_burst = 5
+/// upload_rps = 500
+/// upload_burst = 1000
+/// general_rps = 100
+/// general_burst = 200
+/// ```
+///
+/// # Environment Variables
+/// - `NORA_RATE_LIMIT_AUTH_RPS` - Auth requests per second
+/// - `NORA_RATE_LIMIT_AUTH_BURST` - Auth burst size
+/// - `NORA_RATE_LIMIT_UPLOAD_RPS` - Upload requests per second
+/// - `NORA_RATE_LIMIT_UPLOAD_BURST` - Upload burst size
+/// - `NORA_RATE_LIMIT_GENERAL_RPS` - General requests per second
+/// - `NORA_RATE_LIMIT_GENERAL_BURST` - General burst size
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct RateLimitConfig {
+    #[serde(default = "default_auth_rps")]
+    pub auth_rps: u64,
+    #[serde(default = "default_auth_burst")]
+    pub auth_burst: u32,
+    #[serde(default = "default_upload_rps")]
+    pub upload_rps: u64,
+    #[serde(default = "default_upload_burst")]
+    pub upload_burst: u32,
+    #[serde(default = "default_general_rps")]
+    pub general_rps: u64,
+    #[serde(default = "default_general_burst")]
+    pub general_burst: u32,
+}
+
+fn default_auth_rps() -> u64 { 1 }
+fn default_auth_burst() -> u32 { 5 }
+fn default_upload_rps() -> u64 { 200 }
+fn default_upload_burst() -> u32 { 500 }
+fn default_general_rps() -> u64 { 100 }
+fn default_general_burst() -> u32 { 200 }
+
+impl Default for RateLimitConfig {
+    fn default() -> Self {
+        Self {
+            auth_rps: default_auth_rps(),
+            auth_burst: default_auth_burst(),
+            upload_rps: default_upload_rps(),
+            upload_burst: default_upload_burst(),
+            general_rps: default_general_rps(),
+            general_burst: default_general_burst(),
+        }
+    }
+}
+
 impl Config {
     /// Load configuration with priority: ENV > config.toml > defaults
     pub fn load() -> Self {
@@ -223,6 +283,38 @@ impl Config {
         if let Ok(val) = env::var("NORA_AUTH_TOKEN_STORAGE") {
             self.auth.token_storage = val;
         }
+
+        // Rate limit config
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_AUTH_RPS") {
+            if let Ok(v) = val.parse::<u64>() {
+                self.rate_limit.auth_rps = v;
+            }
+        }
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_AUTH_BURST") {
+            if let Ok(v) = val.parse::<u32>() {
+                self.rate_limit.auth_burst = v;
+            }
+        }
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_UPLOAD_RPS") {
+            if let Ok(v) = val.parse::<u64>() {
+                self.rate_limit.upload_rps = v;
+            }
+        }
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_UPLOAD_BURST") {
+            if let Ok(v) = val.parse::<u32>() {
+                self.rate_limit.upload_burst = v;
+            }
+        }
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_GENERAL_RPS") {
+            if let Ok(v) = val.parse::<u64>() {
+                self.rate_limit.general_rps = v;
+            }
+        }
+        if let Ok(val) = env::var("NORA_RATE_LIMIT_GENERAL_BURST") {
+            if let Ok(v) = val.parse::<u32>() {
+                self.rate_limit.general_burst = v;
+            }
+        }
     }
 }
 
@@ -243,6 +335,44 @@ impl Default for Config {
             npm: NpmConfig::default(),
             pypi: PypiConfig::default(),
             auth: AuthConfig::default(),
+            rate_limit: RateLimitConfig::default(),
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_rate_limit_default() {
+        let config = RateLimitConfig::default();
+        assert_eq!(config.auth_rps, 1);
+        assert_eq!(config.auth_burst, 5);
+        assert_eq!(config.upload_rps, 200);
+        assert_eq!(config.upload_burst, 500);
+        assert_eq!(config.general_rps, 100);
+        assert_eq!(config.general_burst, 200);
+    }
+
+    #[test]
+    fn test_rate_limit_from_toml() {
+        let toml = r#"
+            [server]
+            host = "127.0.0.1"
+            port = 4000
+
+            [storage]
+            mode = "local"
+
+            [rate_limit]
+            auth_rps = 10
+            upload_burst = 1000
+        "#;
+
+        let config: Config = toml::from_str(toml).unwrap();
+        assert_eq!(config.rate_limit.auth_rps, 10);
+        assert_eq!(config.rate_limit.upload_burst, 1000);
+        assert_eq!(config.rate_limit.auth_burst, 5); // default
+    }
+}