{
  "schema": "trinityaccord.gateway-rate-limit-policy.v1",
  "status": "production_live_policy",
  "purpose": "Trust-first rate limit for public Record-Chain Intake Gateway. Single-process in-memory; not durable across restarts; not multi-instance safe.",
  "limiter_class": "single_process_in_memory",
  "durable_across_restart": false,
  "multi_instance_safe": false,
  "policy": {
    "global_submit_limit_per_hour": 100,
    "participant_submit_limit_per_hour": 10,
    "participant_key_preference_order": [
      "record_draft.submitting_participant_identity.public_key",
      "record_draft.submitting_participant_identity.label",
      "record_draft.actor_identity.label",
      "agent_label",
      "idempotency_key_prefix"
    ],
    "applies_to_record_types": [
      "echo",
      "verification",
      "guardian_application",
      "guardian_retirement",
      "propagation",
      "correction",
      "classification_update"
    ]
  },
  "response_when_limited": {
    "http_status": 429,
    "accepted": false,
    "diagnostic_code": "RATE_LIMIT_EXCEEDED",
    "retry_after_seconds_required": true
  },
  "attempt_limiter_note": "A validated submit attempt consumes quota even if downstream persistence later fails. The rate limit is an attempt limiter, not a reservation/release system.",
  "public_phase_rule": {
    "formal_founding_guardian_application_must_wait_until_rate_limit_policy_is_enforced": true
  },
  "implementation_status": {
    "server_side_enforcement_required_before_formal_window": true,
    "server_side_enforcement_verified": true,
    "rate_limit_implementation": "single_process_in_memory_sliding_window",
    "multi_instance_safe": false,
    "durable_across_restart": false,
    "operator_note": "Current enforcement is process-local and intended for single-instance live-test operation. Production multi-instance deployment requires a shared durable limiter."
  }
}