feat(relay): Operation-based rate limiting + Resolve most recent

[afterburn]

Summary
This PR replaces current rate limiting with an operation-based configuration that maps directly to the relay's three core operations: publish, resolve, and resolve_most_recent.

Configuration Example

[relay]
[[relay.rate_limits]]
operation = "resolve"
quota = "10r/s"
burst = 20

[[relay.rate_limits]]
operation = "resolve_most_recent"
quota = "2r/s"
burst = 5

[[relay.rate_limits]]
operation = "publish"
quota = "2r/s"
burst = 10
whitelist = ["127.0.0.1", "192.168.1.0/24"]  # optional, both ips and subnets supported

Operations in this toml file automatically map to:

• publish → PUT requests (publishing records)
• resolve → GET requests without most_recent=true (cached lookups)
• resolve_most_recent → GET requests with most_recent=true (DHT queries)

If no config.toml file is present, system will use defaults, so this is not a breaking change.

[SeverinAlexB]

Need to do a second round later

[afterburn]

@SeverinAlexB resolved your feedback:

• Removed kb, mb, gb quota units, now always uses either r/s or r/m as requested
• Changed default rate limits to something saner
• Added behind_proxy flag in config toml, which allows users to respect/ignore proxy headers
• Cleaned up IP extraction, only happens once per request now
• Added operation 'Index' so users can specify rate limiting for root path

[SeverinAlexB]

Two comments, otherwise looks good.

In the Pubky Core team, we have a convention on how to format PR title. We stick to the conventional commit format.

So for this PR, the title could be: feat(relay): Operation-based rate limiting + Resolve most recent

[afterburn]

@SeverinAlexB

• If no rate limits are defined in config.toml, rate limiting will be disabled completely
• Added Index to Operation enum so calling GET http://0.0.0.0:6881/ doesn't trigger the incorrect rate limit
• Added resolve_most_recent_enabled flag so users have the ability to completely ignore the most_recent=true query parameter (defaults to false for backward compatibility)

[SeverinAlexB]

One NIT, otherwise good to go

[SeverinAlexB]

Actually, should this add the most_recent option to the pkarr client too? You are just adding it to the relay in this PR?

[afterburn]

@SeverinAlexB @SHAcollision Restored DHT rate limiting that was previously removed. Since the DHT can be accessed directly, keeping rate limiting in place is necessary. The implementation is now fully backward compatible. Existing [rate_limiter] configurations continue to work as before. New [dht_rate_limit] and [http_rate_limit] options are opt-in. By default, it falls back to the legacy IP-based limiter unless one of the new configs is defined. Also added a comprehensive test to cover the new behavior and ensure backward compat.

[86667]

Few comments 👍

Also we could have quite a few more unit tests. All behaviour may be tested somewhere but unit tests inline with the code they test are pretty much always worth it these days with how fast AI can write them IMO

[86667]

This feels like difficult behaviour to debug. Did we consider returning an error if most_recent is requested but the relay is configured with resolve_most_recent: false?

[86667]

This may technically be a breaking change. im not sure if we have any other consumers of the module as a lib

[86667]

Should we be merging into v6 branch

[86667]

if so, maybe we can remove the config backwards compatibility logic

[86667]

especially concerning is behind_proxy being in two possible places - which takes precedence? If we need to keep backwards compatibility then this should be documented. Quick AI check says that [relay].behind_proxy will infact override [rate_limiter].behind_proxy

[86667]

nit: no need to clone

[86667]

Why does the rate limiter need to consider the resolve_most_recent config var here? it cares for rate limiting based on the requests, the process's config is irrelevant

[86667]

Retry-After header always nice for 429s