feat: security and auditing

api/src/app/plugins/rate-limit.ts

@@ -0,0 +1,37 @@
+/**
+ * @copyright 2026 NHCarrigan
+ * @license Naomi's Public License
+ * @author Naomi Carrigan
+ */
+
+import { FastifyPluginAsync } from "fastify";
+import fastifyPlugin from "fastify-plugin";
+import fastifyRateLimit from "@fastify/rate-limit";
+import { AuditService } from "../services/audit.service";
+import { AuditAction, AuditCategory } from "@library/shared-types";
+
+const rateLimitPlugin: FastifyPluginAsync = async (app) => {
+  await app.register(fastifyRateLimit, {
+    max: 100,
+    timeWindow: "1 minute",
+    errorResponseBuilder: (request) => {
+      // Log rate limit exceeded event
+      AuditService.log({
+        action: AuditAction.RATE_LIMIT_EXCEEDED,
+        category: AuditCategory.SECURITY,
+        details: `Rate limit exceeded for URL: ${request.url}`,
+        success: false,
+      }, request).catch(() => {
+        // Ignore logging errors to avoid blocking the response
+      });
+
+      return {
+        statusCode: 429,
+        error: "Too Many Requests",
+        message: "You have exceeded the rate limit. Please try again later.",
+      };
+    },
+  });
+};
+
+export default fastifyPlugin(rateLimitPlugin);