PROJECT-CONTORL/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/specs/user-auth/spec.md

## ADDED Requirements

### Requirement: Comprehensive API Rate Limiting
The system SHALL enforce rate limits on all sensitive API endpoints to prevent abuse and ensure service availability.

#### Scenario: Task creation rate limit exceeded
- **WHEN** user exceeds 60 task creation requests per minute
- **THEN** system returns 429 Too Many Requests
- **THEN** response includes Retry-After header

#### Scenario: Report generation rate limit exceeded
- **WHEN** user exceeds 5 report generation requests per minute
- **THEN** system returns 429 Too Many Requests
- **THEN** response includes rate limit headers

#### Scenario: Rate limit headers provided
- **WHEN** user makes any rate-limited API request
- **THEN** response includes X-RateLimit-Limit header
- **THEN** response includes X-RateLimit-Remaining header
- **THEN** response includes X-RateLimit-Reset header

#### Scenario: Rate limit window reset
- **WHEN** rate limit window expires
- **THEN** user can make requests again up to the limit
- **THEN** X-RateLimit-Remaining resets to maximum