feat: implement API key rate limiting for JSON-RPC (#1521)

* feat: implement tiered API key rate limiting for JSON-RPC (DXP-723)

Add Redis-backed sliding window rate limiting for public deployments, with
per-API-key tiers (free/pro/unlimited) or per-IP for anonymous requests.
Disabled by default via RATE_LIMIT_ENABLED env var.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve unit test failures in CI

- Use MagicMock for redis.pipeline() since it's synchronous in redis.asyncio
- Rewrite middleware tests to mock dispatch directly instead of using
  TestClient (httpx not available in CI's backend/requirements.txt)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add integration test script for API key rate limiting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve test warnings and add fail-open middleware behavior

- Use MagicMock for pipeline object (only execute() is async) to fix
  RuntimeWarning about unawaited coroutines in pipeline chaining methods
- Add fail-open behavior in middleware: catch unexpected exceptions from
  rate limiter and allow request through with a warning log
- Add test for fail-open behavior
- Add tier levels integration test script

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: make consensus appeal tests resilient to race conditions

With mock LLMs, consensus processes near-instantaneously so transient
statuses (PENDING, ACTIVATED) are often missed by the polling loop.
Use min_history_index to check the recorded status history and prefix
matching for intermediate assertions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add manage-tiers and manage-api-keys Claude skills

Add two new user-invocable skills for managing API rate limiting:
- /manage-tiers: Create, list, update, and delete API rate limiting tiers
- /manage-api-keys: Create, list, deactivate, and reactivate API keys

Both skills support local dev and hosted deployments with proper
environment detection and admin key handling.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: cristiam86

.claude/skills/manage-api-keys/SKILL.md

@@ -0,0 +1,128 @@
+---
+name: manage-api-keys
+description: Create, list, deactivate, and reactivate API keys for rate limiting
+invocation: user
+---
+
+# Manage API Keys
+
+CRUD operations for API keys used in rate limiting on GenLayer Studio deployments.
+
+## Setup
+
+Before any operation, determine the target environment:
+
+1. **Ask the user** which environment they are targeting:
+   - **Local dev**: `BASE_URL=http://localhost:4000/api`, no `admin_key` needed
+   - **Hosted** (dev/stg/prd): `BASE_URL=https://<domain>/api`, requires `admin_key`
+
+2. For hosted deployments, **ask the user for the `ADMIN_API_KEY`** (stored in k8s secrets as `ADMIN_API_KEY`).
+
+## Operations
+
+Ask the user which operation to perform: **Create**, **List**, **Deactivate**, or **Reactivate**.
+
+### List API Keys
+
+**Note:** This endpoint may not exist yet. If `admin_listApiKeys` is not available, query the database directly using the `studio-db` skill, or inform the user it needs to be implemented.
+
+```bash
+# List all keys
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_listApiKeys","params":{"admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+
+# Filter by tier
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_listApiKeys","params":{"tier_name":"free","admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+
+# Filter by active status
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_listApiKeys","params":{"is_active":false,"admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+### Create API Key
+
+Ask the user for: `tier_name` (suggest listing tiers first with `/manage-tiers`) and optional `description`.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_createApiKey","params":{"tier_name":"<TIER_NAME>","description":"<DESCRIPTION>","admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+**IMPORTANT:** The full API key (e.g., `glk_abcdef1234...`) is **only returned once** at creation time. Remind the user to store it securely. Only the `key_prefix` (first 8 chars) is stored for identification.
+
+Response includes:
+- `api_key`: Full key (store this!)
+- `key_prefix`: First 8 characters (e.g., `glk_ab12`)
+- `tier`: Tier name
+- `description`: Optional description
+
+### Deactivate API Key
+
+Ask the user for the `key_prefix` (8 characters, e.g., `glk_ab12`). If they don't know it, list keys first.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_deactivateApiKey","params":{"key_prefix":"<KEY_PREFIX>","admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+Deactivation takes effect immediately (Redis cache is invalidated).
+
+### Reactivate API Key
+
+**Note:** This endpoint may not exist yet. If `admin_reactivateApiKey` is not available, inform the user it needs to be implemented.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_reactivateApiKey","params":{"key_prefix":"<KEY_PREFIX>","admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+## API Key Usage
+
+Clients send the API key via the `X-API-Key` HTTP header:
+
+```bash
+curl -X POST "$BASE_URL" \
+  -H "Content-Type: application/json" \
+  -H "X-API-Key: glk_<full_key>" \
+  -d '{"jsonrpc":"2.0","method":"<method>","params":{...},"id":1}'
+```
+
+- Requests without `X-API-Key` are subject to anonymous rate limits (default: 10/min, 100/hr, 1000/day).
+- Invalid or deactivated keys return `-32029 "Invalid API key"`.
+- When the rate limit is exceeded, the response is HTTP 429 with a JSON-RPC error including `window`, `limit`, `current`, and `retry_after_seconds`.
+
+## Common Errors
+
+| Error | Cause |
+|-------|-------|
+| `-32000` "Admin access required" | Missing or invalid `admin_key` on hosted deployment |
+| `-32602` "Tier not found: X" | Specified `tier_name` doesn't exist |
+| `-32001` "Active API key with prefix X not found" | Key doesn't exist or is already deactivated |
+| `-32029` "Invalid API key" | Key is invalid or deactivated (when rate limiting is enabled) |
+| `-32029` "Rate limit exceeded: N requests per minute" | Key has exceeded its tier's rate limit |
+
+## Key Format
+
+- Full key: `glk_` + 64 hex characters (68 chars total)
+- Key prefix: first 8 characters (e.g., `glk_ab12`)
+- Storage: only the SHA-256 hash is stored in the database; the full key cannot be recovered
+
+## Important Notes
+
+- Always use `--data-binary @-` with heredoc (`<<'EOF'`) to avoid shell expansion issues with special characters in the admin key.
+- When rate limiting is disabled (`RATE_LIMIT_ENABLED=false`), keys can still be created and managed, but rate limits are not enforced and invalid keys are not rejected.
+- Cache invalidation happens automatically on deactivate/reactivate (5-minute TTL otherwise).
+
+## Reference
+
+- Models: `backend/database_handler/models.py` (ApiKey class)
+- Endpoints: `backend/protocol_rpc/endpoints.py` (admin_create_api_key, admin_deactivate_api_key)
+- Rate limiter: `backend/protocol_rpc/rate_limiter.py`
+- Middleware: `backend/protocol_rpc/rate_limit_middleware.py`

.claude/skills/manage-tiers/SKILL.md

@@ -0,0 +1,105 @@
+---
+name: manage-tiers
+description: Create, list, update, and delete API rate limiting tiers
+invocation: user
+---
+
+# Manage API Rate Limiting Tiers
+
+CRUD operations for API rate limiting tiers on GenLayer Studio deployments.
+
+## Setup
+
+Before any operation, determine the target environment:
+
+1. **Ask the user** which environment they are targeting:
+   - **Local dev**: `BASE_URL=http://localhost:4000/api`, no `admin_key` needed
+   - **Hosted** (dev/stg/prd): `BASE_URL=https://<domain>/api`, requires `admin_key`
+
+2. For hosted deployments, **ask the user for the `ADMIN_API_KEY`** (stored in k8s secrets as `ADMIN_API_KEY`).
+
+## Operations
+
+Ask the user which operation to perform: **Create**, **List**, **Update**, or **Delete**.
+
+### List Tiers
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_listTiers","params":{"admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+For local dev (no admin_key):
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","method":"admin_listTiers","params":{},"id":1}' | python3 -m json.tool
+```
+
+### Create Tier
+
+Ask the user for: `name`, `rate_limit_minute`, `rate_limit_hour`, `rate_limit_day`.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_createTier","params":{"name":"<NAME>","rate_limit_minute":<RPM>,"rate_limit_hour":<RPH>,"rate_limit_day":<RPD>,"admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+### Update Tier
+
+**Note:** This endpoint may not exist yet. Check by listing tiers first. If `admin_updateTier` is not available, inform the user it needs to be implemented.
+
+Ask the user for: `name` (existing tier) and which limits to change.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_updateTier","params":{"name":"<NAME>","rate_limit_minute":<RPM>,"rate_limit_hour":<RPH>,"rate_limit_day":<RPD>,"admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+Only include the fields that need changing.
+
+### Delete Tier
+
+**Note:** This endpoint may not exist yet. If `admin_deleteTier` is not available, inform the user it needs to be implemented.
+
+Deletion fails if any API keys (active or inactive) reference the tier.
+
+```bash
+curl -s -X POST "$BASE_URL" -H "Content-Type: application/json" --data-binary @- <<'EOF' | python3 -m json.tool
+{"jsonrpc":"2.0","method":"admin_deleteTier","params":{"name":"<NAME>","admin_key":"<ADMIN_KEY>"},"id":1}
+EOF
+```
+
+## Default Seeded Tiers
+
+These are created by the Alembic migration:
+
+| Tier | Requests/min | Requests/hr | Requests/day |
+|------|-------------|-------------|--------------|
+| free | 30 | 500 | 5,000 |
+| pro | 120 | 3,000 | 50,000 |
+| unlimited | 999,999 | 999,999 | 999,999 |
+
+## Common Errors
+
+| Error | Cause |
+|-------|-------|
+| `-32000` "Admin access required" | Missing or invalid `admin_key` on hosted deployment |
+| `-32602` "Duplicate tier name" | Tier with that name already exists (unique constraint) |
+| `-32602` "Cannot delete tier: N API key(s) still reference it" | Deactivate/delete keys first |
+| `-32001` "Tier not found: X" | Tier name doesn't exist |
+
+## Important Notes
+
+- Always use `--data-binary @-` with heredoc (`<<'EOF'`) to avoid shell expansion issues with special characters in the admin key (e.g., `+`, `=`).
+- Tier names must be unique and max 50 characters.
+- Rate limits are enforced per sliding window (minute, hour, day) using Redis sorted sets.
+- When rate limiting is disabled (`RATE_LIMIT_ENABLED=false`), tiers can still be managed but limits are not enforced.
+
+## Reference
+
+- Models: `backend/database_handler/models.py` (ApiTier class)
+- Endpoints: `backend/protocol_rpc/endpoints.py` (admin_create_tier, admin_list_tiers)
+- Migration: `backend/database_handler/migration/versions/b1c3e5f7a902_add_api_tiers_and_api_keys.py`