feat(gateway): add websocket ingress rate limiting

src/config/schema.test.ts

@@ -46,6 +46,34 @@ describe('configSchema — server', () => {
     });
     expect(result.server.max_request_body_bytes).toBe(2048);
   });
+
+  it('defaults ws_rate_limit settings', () => {
+    const result = configSchema.parse(minimalConfig);
+    expect(result.server.ws_rate_limit.enabled).toBe(true);
+    expect(result.server.ws_rate_limit.capacity).toBe(30);
+    expect(result.server.ws_rate_limit.refill_per_sec).toBe(15);
+    expect(result.server.ws_rate_limit.max_violations).toBe(8);
+    expect(result.server.ws_rate_limit.violation_window_ms).toBe(10_000);
+  });
+
+  it('accepts custom ws_rate_limit settings', () => {
+    const result = configSchema.parse({
+      ...minimalConfig,
+      server: {
+        ws_rate_limit: {
+          enabled: true,
+          capacity: 5,
+          refill_per_sec: 2,
+          max_violations: 3,
+          violation_window_ms: 2000,
+        },
+      },
+    });
+    expect(result.server.ws_rate_limit.capacity).toBe(5);
+    expect(result.server.ws_rate_limit.refill_per_sec).toBe(2);
+    expect(result.server.ws_rate_limit.max_violations).toBe(3);
+    expect(result.server.ws_rate_limit.violation_window_ms).toBe(2000);
+  });
 });
 
 describe('configSchema — agent_configs', () => {

src/config/schema.ts

@@ -24,6 +24,14 @@ const pairingSchema = z.object({
   code_length: z.number().default(6),
 }).default({});
 
+const wsRateLimitSchema = z.object({
+  enabled: z.boolean().default(true),
+  capacity: z.number().min(1).max(1000).default(30),
+  refill_per_sec: z.number().min(1).max(1000).default(15),
+  max_violations: z.number().min(1).max(100).default(8),
+  violation_window_ms: z.number().min(1000).max(60000).default(10000),
+}).default({});
+
 const serverSchema = z.object({
   tailscale: tailscaleSchema,
   localhost: z.boolean().default(true),
@@ -38,6 +46,8 @@ const serverSchema = z.object({
   lock: z.boolean().default(false),
   /** Maximum size (bytes) for inbound HTTP request bodies (webhooks/Gmail push). */
   max_request_body_bytes: z.number().min(1024).max(10 * 1024 * 1024).default(1_048_576),
+  /** Per-connection WebSocket ingress rate limit settings. */
+  ws_rate_limit: wsRateLimitSchema,
 });
 
 /** All supported model provider identifiers. Used by the config schema and TUI autocompletion. */