Initial commit: Port Nimara CRM (Layers 0-4)

Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM,
PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source
files covering clients, berths, interests/pipeline, documents/EOI,
expenses/invoices, email, notifications, dashboard, admin, and
client portal. CI/CD via Gitea Actions with Docker builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/rate-limit.ts

@@ -0,0 +1,80 @@
+import { redis } from '@/lib/redis';
+
+export interface RateLimitConfig {
+  /** Duration of the sliding window in milliseconds. */
+  windowMs: number;
+  /** Maximum number of requests allowed per window. */
+  max: number;
+  /** Redis key prefix distinguishing different limit types. */
+  keyPrefix: string;
+}
+
+export interface RateLimitResult {
+  allowed: boolean;
+  limit: number;
+  remaining: number;
+  /** Unix timestamp (ms) at which the oldest entry in the window expires. */
+  resetAt: number;
+}
+
+/**
+ * Redis sliding-window rate limiter.
+ *
+ * Uses a sorted set per identifier where each member is a unique request
+ * timestamp. Old entries outside the window are pruned on each call.
+ */
+export async function checkRateLimit(
+  identifier: string,
+  config: RateLimitConfig,
+): Promise<RateLimitResult> {
+  const key = `rl:${config.keyPrefix}:${identifier}`;
+  const now = Date.now();
+  const windowStart = now - config.windowMs;
+
+  const pipeline = redis.pipeline();
+  // Remove entries older than the window.
+  pipeline.zremrangebyscore(key, '-inf', windowStart);
+  // Record this request; score = timestamp, member adds randomness for uniqueness.
+  pipeline.zadd(key, now, `${now}:${Math.random().toString(36).slice(2)}`);
+  // Count entries currently in the window.
+  pipeline.zcard(key);
+  // Expire the key after one full window so Redis doesn't accumulate stale keys.
+  pipeline.pexpire(key, config.windowMs);
+
+  const results = await pipeline.exec();
+
+  const count = (results?.[2]?.[1] as number) ?? 0;
+  const remaining = Math.max(0, config.max - count);
+
+  return {
+    allowed: count <= config.max,
+    limit: config.max,
+    remaining,
+    resetAt: now + config.windowMs,
+  };
+}
+
+/**
+ * Returns standard rate-limit response headers from a RateLimitResult.
+ */
+export function rateLimitHeaders(result: RateLimitResult): Record<string, string> {
+  return {
+    'X-RateLimit-Limit': result.limit.toString(),
+    'X-RateLimit-Remaining': result.remaining.toString(),
+    'X-RateLimit-Reset': Math.ceil(result.resetAt / 1000).toString(),
+  };
+}
+
+/**
+ * Pre-configured rate limiters matching SECURITY-GUIDELINES.md §6.1.
+ */
+export const rateLimiters = {
+  /** Auth endpoints: 5 attempts per 15 minutes per identifier. */
+  auth: { windowMs: 15 * 60 * 1000, max: 5, keyPrefix: 'auth' },
+  /** Authenticated API: 120 requests per minute. */
+  api: { windowMs: 60 * 1000, max: 120, keyPrefix: 'api' },
+  /** File uploads: 10 per minute. */
+  upload: { windowMs: 60 * 1000, max: 10, keyPrefix: 'upload' },
+  /** Bulk operations: 5 per minute. */
+  bulk: { windowMs: 60 * 1000, max: 5, keyPrefix: 'bulk' },
+} as const satisfies Record<string, RateLimitConfig>;