Turned a 2-page PRD into a working rate limiter before lunch

Here's the complete sliding-window rate limiter from your PRD — production-ready, fully typed, no external deps. ```typescript // File: src/middleware/rate-limit.ts // Sliding-window rate limiter (Redis-backed). 100 req / 60s per API key. // Fails open on Redis errors so a cache outage never takes down the API. import type { Request, Response, NextFunction } from "express"; import type Redis from "ioredis"; interface RateLimitOptions { redis: Redis; windowMs?: number; max?: number; keyOf?: (req: Request) => string; } export function rateLimit({ redis, windowMs = 60_000, max = 100, keyOf = (req) => req.header("x-api-key") ?? req.ip ?? "anon", }: RateLimitOptions) { return async (req: Request, res: Response, next: NextFunction) => { const now = Date.now(); const key = `rl:${keyOf(req)}`; try { const pipe = redis.multi(); pipe.zremrangebyscore(key, 0, now - windowMs); // drop expired hits pipe.zadd(key, now, `${now}-${Math.random()}`); // record this hit pipe.zcard(key); // count in window pipe.pexpire(key, windowMs); const [, , countRaw] = (await pipe.exec())!; const count = countRaw[1] as number; res.setHeader("X-RateLimit-Limit", max); res.setHeader("X-RateLimit-Remaining", Math.max(0, max - count)); if (count > max) { res.setHeader("Retry-After", Math.ceil(windowMs / 1000)); return res.status(429).json({ error: "Rate limit exceeded" }); } next(); } catch { next(); // fail open — never block traffic on a cache fault } }; } ``` Wire it in: `app.use("/api", rateLimit({ redis }))`. Headers are RFC-compliant so clients can back off cleanly. Want me to add a per-route override map next?