Feat security rate enforcement

[dominikletica]

Summary

Implemented the feat-security-rate-enforcement slice: descriptor-backed Symfony RateLimiter enforcement with central off/standard/strict/panic profiles, Owner-safe ordinary exemptions, explicit scheduler interval enforcement, authenticated-user multipliers, /api/live/** and prefetch exclusions, redacted HTML/JSON 429 responses, suspicious-probe 400 handling, fail-open limiter storage diagnostics through the Message layer, scoped login reset hooks, dormant verified-captcha reset interfaces, and the Owner-gated Security settings mode.

Testing

• bin/phpunit: Passed (1435 tests, 9446 assertions)
• bin/jstest: Passed (37 tests)
• bin/lint: Passed
• Other (if not already covered by the full suites above):
  • php bin/console render:route /admin/settings/security --role=owner --env=test --no-debug --include-status: returned HTTP 200
  • Focused rate-limit/settings/render-route PHPUnit suites passed during implementation

Documentation

• Updated project readme (README.md) - not needed for this branch
• Updated feature drafts (dev/draft/*.md)
• Updated class map (dev/CLASSMAP.md)
• Updated worklog (dev/WORKLOG.md)
• Updated dev/user manuals (dev/manual/*.md / docs/*.md)

Additional Checks

• Security/privacy considerations, public entry points, sessions, secrets, and browser storage reviewed
• Package/module boundaries, access levels, route/API/live endpoint scopes, and collision risks reviewed
• Setup/init/CI, cross-platform behavior, disabled-feature fallbacks, and process/env handling reviewed
• Project-rules-, architecture-, naming- and documentation-drift reviewed (see P4 drift audit: architecture, modularity, naming, performance, and Symfony alignment #57 for details)
• Follow-up tasks captured in WORKLOG
• Updated / aligned translations and user-facing copy

Linked Issues / Discussions

Part of the feat-security branch tree (#102)

Review Notes

• Scheduler limiting is intentionally an operational pre-auth interval guard: standard allows one /cron/run per minute, strict one per 15 minutes, and panic one per hour. Legitimate scheduler 429 responses are expected caller feedback, not passive security signals.
• Suspicious probe requests return generic 400 responses; repeated probe correlation and real blocking decisions are deferred to the later auto-ban/security-signal slice.
• Rate-limit storage failures fail open and report through the Message layer without exposing limiter internals.
• Responses expose only safe request references and do not include bucket IDs, subject keys, IP data, API key material, or limiter details.
• Follow-up captured: custom system error-page content should later be rendered as the inner error body/fieldset while status-specific error templates decide full page chrome.

[dominikletica]

Rate-limiter implementation

Checks:

• PHPUnit OK, 1435 tests, 9446 assertions
• JSTest OK, 37 tests
• All lint checks passed

Ready for review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2f91ceeddf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1447 tests, 9544 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 268a6bfc5a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1458 tests, 9679 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 91cca74a96

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 38e8c574f5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1508 tests, 10037 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 126d19e4bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1514 tests, 10065 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6aea1c2316

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1562 tests, 10302 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d5f4261924

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1567 tests, 10342 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 15aa164db1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1578 tests, 10442 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6db53a5238

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1607 tests, 10516 assertions
• JSTest OK, 37 tests
• All lint checks passed

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ba4bd638c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dominikletica]

Addressed review findings

Checks:

• PHPUnit OK, 1615 tests, 10568 assertions
• JSTest OK, 37 tests
• All lint checks passed

Recap: Codex Cloud Review reported 39 issues: 39 solved/fixed.