docs: mark Phase 3 tasks done; document WAF rate limiting in TODO

P1-4, P2-10, P2-11 marked DONE in TECH_DEBT.md. P1-5 (rate limiting) is infrastructure-only — documented in TODO.md with the recommended Cloudflare WAF rule targets and thresholds. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-20 22:03:48 +00:00 · 2026-05-22 10:56:55 +02:00
parent 205d4ef5bb
commit 427eac973c
2 changed files with 8 additions and 6 deletions
@@ -27,12 +27,12 @@ Generated: 2026-05-22

 ## Phase 3 — Ongoing / Infrastructure

-| #     | Task                                                 | Priority |
-| ----- | ---------------------------------------------------- | -------- |
-| P1-4  | Structured logging + error aggregation               | 36       |
-| P1-5  | Rate limiting (Cloudflare WAF rules)                 | 24       |
-| P2-10 | Extract constants module (`src/config/constants.ts`) | 12       |
-| P2-11 | Split `admin.ts` into sub-modules                    | 8        |
+| #     | Task                                                 | Priority | Status                    |
+| ----- | ---------------------------------------------------- | -------- | ------------------------- |
+| P1-4  | Structured logging + error aggregation               | 36       | DONE                      |
+| P1-5  | Rate limiting (Cloudflare WAF rules)                 | 24       | Infrastructure (see TODO) |
+| P2-10 | Extract constants module (`src/config/constants.ts`) | 12       | DONE                      |
+| P2-11 | Split `admin.ts` into sub-modules                    | 8        | DONE                      |

 ---

@@ -24,4 +24,6 @@ Feature gaps identified by comparing with [kill-the-newsletter](https://github.c

 - [ ] **WebSub (PubSubHubbub) push notifications** — notify subscribers in real time when a new email arrives, instead of requiring them to poll the feed. Requires either integrating a public WebSub hub or implementing the hub protocol directly.

+- [ ] **Rate limiting via Cloudflare WAF rules** — protect `/api/inbound` and `/admin` against abuse. Configure WAF custom rules in the Cloudflare dashboard (or via Terraform): rate-limit `/api/inbound` to ~60 req/min per IP, and `/admin` to ~20 req/min per IP. No code changes required; this is pure infrastructure configuration.
+
 - [ ] **Migrate feed metadata to Durable Objects for atomic writes** — the current KV-based metadata store has a read-modify-write race condition: two concurrent emails to the same feed can silently overwrite each other's changes. Cloudflare Durable Objects serialise access per feed and eliminate the race entirely. Requires replacing `feed:<feedId>:metadata` KV writes in `src/lib/email-processor.ts` with a Durable Object that exposes an `appendEmail()` RPC, updating `wrangler.toml` with a DO binding, and migrating existing metadata at deploy time.