{
  "instruction": "Add rate limiting to all API endpoints with stricter limits on auth and mutation routes",
  "relevant_when": "Agent creates or modifies an ASP.NET Core application, adds endpoints, or sets up an ASP.NET Core project",
  "context": "Every ASP.NET Core API must have rate limiting using the built-in System.Threading.RateLimiting (.NET 7+). Apply a general limit on all API routes and stricter limits on auth and mutation endpoints. Configure a rejection handler that returns 429 with a meaningful error body.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/aspnet-security-basics/SKILL.md",
      "tile": "tessl-labs/aspnet-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "rate-limiter-configured",
      "rule": "Agent configures AddRateLimiter with at least one rate limiting policy",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    },
    {
      "name": "rate-limit-applied",
      "rule": "Agent calls UseRateLimiter() in the middleware pipeline and applies rate limiting to endpoints via RequireRateLimiting()",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    },
    {
      "name": "auth-rate-limit-stricter",
      "rule": "Agent applies a stricter rate limit to authentication endpoints (login, register) with a lower PermitLimit than the general limiter",
      "relevant_when": "Agent creates authentication routes in ASP.NET Core"
    },
    {
      "name": "rate-limit-rejection-handler",
      "rule": "Agent configures OnRejected to return 429 status with a meaningful error response body",
      "relevant_when": "Agent creates or modifies an ASP.NET Core application"
    }
  ]
}