Rate limiting exists only on the login endpoint (5 attempts/min). Every other route — including /api/spawn, /api/backup, /api/export, and agent messaging — has no rate limiting. A middleware-level rate limiter would prevent abuse. The current in-memory approach also resets on restart.
Rate limiting exists only on the login endpoint (5 attempts/min). Every other route — including
/api/spawn,/api/backup,/api/export, and agent messaging — has no rate limiting. A middleware-level rate limiter would prevent abuse. The current in-memory approach also resets on restart.