Skip to content

v0.2.0 Phase 1 — Infrastructure (rate limiting, CI deploy, settings sync)#2

Merged
chtnnh merged 3 commits into
mainfrom
cursor/v020-phase1-infrastructure-ec9a
Jun 23, 2026
Merged

v0.2.0 Phase 1 — Infrastructure (rate limiting, CI deploy, settings sync)#2
chtnnh merged 3 commits into
mainfrom
cursor/v020-phase1-infrastructure-ec9a

Conversation

@chtnnh

@chtnnh chtnnh commented Jun 23, 2026

Copy link
Copy Markdown
Owner

Implements Phase 1 — Infrastructure from docs/v0.2.0-plan.md, one logical commit per sub-task.

1.2 Rate limiting

  • New apps/web/src/lib/rate-limit.ts: in-memory fixed-window limiter keyed per client IP (x-forwarded-forx-real-ip), returns a 429 with clear JSON + Retry-After.
  • POST /api/rooms10/hour per IP.
  • POST /api/import/youtube30/min per IP.
  • Note: in-memory = per-instance (best-effort on serverless). Swap for a shared store (Redis/Upstash) if strict global limits are needed.

1.1 CI auto-deploy

  • New .github/workflows/deploy.yml: on successful CI run on main (workflow_run), deploys the Cloudflare Worker via pnpm --filter @together/realtime deploy.
  • Requires repo secrets CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID (documented in the workflow header).
  • Web (apps/web) continues to deploy via the Vercel Git integration — documented in the workflow comments.

1.3 DO ↔ Postgres settings sync

  • room-client.tsx: host settings changes now PATCH /api/rooms/[slug]/settings whenever the user isHost (previously gated on hasOwner && isHost). The settings route already authorizes ownership server-side, so this keeps the DB in sync with the Durable Object and closes the gap for rooms claimed later in a session.
  • Verified the existing DO /init handler does not clobber live settings (only seeds on a genuinely new room), so no change needed there.

Testing

  • pnpm typecheck (6/6)
  • pnpm lint (6/6)
  • ✅ Rate limiting verified end-to-end against the dev server: 10 room-creates pass, 11th/12th return 429 with Retry-After; a different IP is unaffected; YouTube import blocks at the 31st request/min.
  • ✅ Settings PATCH verified in memory-store mode (returns merged settings).
  • ⚠️ Needs reviewer verification: 1.1 deploy can't run here (no Cloudflare secrets / restricted egress) and the 1.3 owner-only (403) auth path needs a real Postgres + Supabase auth, which aren't configured in this environment.

Rate-limit proof log:
phase1_ratelimit_proof.log

To show artifacts inline, enable in settings.

Open in Web Open in Cursor 

cursoragent and others added 3 commits June 23, 2026 10:19
@cursoragent @chtnnh
feat(api): rate limit room creation and YouTube import per IP (Phase …
46dd137 
…1.2)

Co-authored-by: Chaitanya Mittal <chtnnh@users.noreply.github.com>
@cursoragent @chtnnh
ci: auto-deploy realtime worker after CI passes on main (Phase 1.1)
ce9077a 
Co-authored-by: Chaitanya Mittal <chtnnh@users.noreply.github.com>
@cursoragent @chtnnh
fix(room): persist host settings to DB whenever host, keeping DB in s…
4c3b12d 
…ync with DO (Phase 1.3)

Co-authored-by: Chaitanya Mittal <chtnnh@users.noreply.github.com>
@vercel

vercel Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
together-web Ready Ready Preview, Comment Jun 23, 2026 10:22am

@chtnnh chtnnh marked this pull request as ready for review June 23, 2026 10:51
@chtnnh chtnnh merged commit 38b3ecf into main Jun 23, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chtnnh @cursoragent