itsi-server 0.2.21.rc1 → 0.2.21.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 874e6827c0fa031b9efcaeeb024a83b457367e9e6e78138307ab1dfb1dc5f342
-  data.tar.gz: b13b6138c4a7c630bd88c907ae8edc9bca0cbe7626d96e47c24dfa4bf020e470
+  metadata.gz: 4b429e81e1fd3091d28a61a2db0c55ea8d38965077c4da330470c248f8a7f39c
+  data.tar.gz: c6bb3a7a3ac05b5d1a8b75d97774b6576717e900dae56e33bae11b70cf6ea782
 SHA512:
-  metadata.gz: 180ccbafb120b1bde651f5cf574c97afc4214a199b6f273f656b17fae1fb8daa42fe7376ea6fe78d545882e049d3de01bb301ebac6da389906f59ccb3c28c0b4
-  data.tar.gz: bb31862f6755a22c799e2292ef603f1ae9c1cdc82ce3f78583a5571f54f077b432dec33d9e7dbf0459bf4ca823738ffc9db0500caea27fe24dd8a99899829e8c
+  metadata.gz: cfc08df98fb6faad6c36e240f96e10e9c49f6ffc1f87c4fd874317ea382cf4a27dd06136844d8a3831781c308cac0c49f60ad870e66ad88e09659fd4e10b4a93
+  data.tar.gz: 2b09c90b8079d16998a213f6fdb49cb655463ea6d0c487fafd9c590b0a54c1a64fc3ed360a3ffb7bfbc3135cc5c7e2310f21894de4c3b08fa38d3a7bf1142613

data/Cargo.lock

@@ -1906,9 +1906,9 @@ checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
 
 [[package]]
 name = "magnus"
-version = "0.7.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d87ae53030f3a22e83879e666cb94e58a7bdf31706878a0ba48752994146dab"
+checksum = "3b36a5b126bbe97eb0d02d07acfeb327036c6319fd816139a49824a83b7f9012"
 dependencies = [
  "bytes",
  "magnus-macros",
@@ -1919,9 +1919,9 @@ dependencies = [
 
 [[package]]
 name = "magnus-macros"
-version = "0.6.0"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5968c820e2960565f647819f5928a42d6e874551cab9d88d75e3e0660d7f71e3"
+checksum = "47607461fd8e1513cb4f2076c197d8092d921a1ea75bd08af97398f593751892"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2554,18 +2554,18 @@ dependencies = [
 
 [[package]]
 name = "rb-sys"
-version = "0.9.111"
+version = "0.9.124"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "becea799ce051c16fb140be80f5e7cf781070f99ca099332383c2b17861249af"
+checksum = "c85c4188462601e2aa1469def389c17228566f82ea72f137ed096f21591bc489"
 dependencies = [
  "rb-sys-build",
 ]
 
 [[package]]
 name = "rb-sys-build"
-version = "0.9.111"
+version = "0.9.124"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64691175abc704862f60a9ca8ef06174080cc50615f2bf1d4759f46db18b4d29"
+checksum = "568068db4102230882e6d4ae8de6632e224ca75fe5970f6e026a04e91ed635d3"
 dependencies = [
  "bindgen",
  "lazy_static",
@@ -2578,9 +2578,9 @@ dependencies = [
 
 [[package]]
 name = "rb-sys-env"
-version = "0.1.2"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a35802679f07360454b418a5d1735c89716bde01d35b1560fc953c1415a0b3bb"
+checksum = "cca7ad6a7e21e72151d56fe2495a259b5670e204c3adac41ee7ef676ea08117a"
 
 [[package]]
 name = "rcgen"
@@ -2972,9 +2972,9 @@ dependencies = [
 
 [[package]]
 name = "serde_magnus"
-version = "0.9.0"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51b8b945a2dadb221f1c5490cfb411cab6c3821446b8eca50ee07e5a3893ec51"
+checksum = "8ff64c88ddd26acdcad5a501f18bcc339927b77b69f4a03bfaf2a6fc5ba2ac4b"
 dependencies = [
  "magnus",
  "serde",

data/ext/itsi_error/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 thiserror = "2.0.11"
-magnus = { version = "0.7.1" }
+magnus = { version = "0.8.2" }
 rcgen = "0.13.2"
 nix = "0.29.0"
 httparse = "1.10.1"

data/ext/itsi_rb_helpers/Cargo.toml

@@ -5,7 +5,7 @@ edition = "2021"
 
 [dependencies]
 cfg-if = "1.0.0"
-magnus = { version = "0.7.1", features = ["rb-sys", "bytes"] }
+magnus = { version = "0.8.2", features = ["rb-sys", "bytes"] }
 nix = "0.29.0"
-rb-sys = "0.9.105"
+rb-sys = "0.9.117"
 serde = "1.0.219"

data/ext/itsi_rb_helpers/src/heap_value.rs

@@ -1,7 +1,7 @@
-use magnus::IntoValue;
 use magnus::rb_sys::AsRawValue;
 use magnus::value::BoxValue;
-use magnus::{Ruby, Value, value::ReprValue};
+use magnus::IntoValue;
+use magnus::{value::ReprValue, Ruby, Value};
 use std::fmt::{self, Debug, Formatter};
 use std::ops::Deref;
 

data/ext/itsi_rb_helpers/src/lib.rs

@@ -1,14 +1,14 @@
 use std::{ffi::c_int, os::raw::c_void, ptr::null_mut};
 
 use magnus::{
-    ArgList, RArray, Ruby, Thread, Value,
     block::Proc,
-    rb_sys::{AsRawId, FromRawValue, protect},
+    rb_sys::{protect, AsRawId, FromRawValue},
     value::{IntoId, LazyId, ReprValue},
+    ArgList, RArray, Ruby, Thread, Value,
 };
 use rb_sys::{
-    VALUE, rb_funcallv, rb_thread_call_with_gvl, rb_thread_call_without_gvl, rb_thread_create,
-    rb_thread_schedule, rb_thread_wakeup,
+    rb_funcallv, rb_thread_call_with_gvl, rb_thread_call_without_gvl, rb_thread_create,
+    rb_thread_schedule, rb_thread_wakeup, VALUE,
 };
 
 mod heap_value;
@@ -182,7 +182,11 @@ pub fn terminate_non_fork_safe_threads() {
                 && !v_thread
                     .funcall::<_, _, bool>(*ID_THREAD_VARIABLE_GET, (ruby.sym_new("fork_safe"),))
                     .unwrap_or(false);
-            if non_fork_safe { Some(v_thread) } else { None }
+            if non_fork_safe {
+                Some(v_thread)
+            } else {
+                None
+            }
         })
         .collect::<Vec<_>>();
 

data/ext/itsi_scheduler/Cargo.toml

@@ -10,7 +10,7 @@ publish = false
 crate-type = ["cdylib"]
 
 [dependencies]
-magnus = { version = "0.7.1", features = ["rb-sys", "bytes"] }
+magnus = { version = "0.8.2", features = ["rb-sys", "bytes"] }
 derive_more = { version = "2.0.1", features = ["debug"] }
 itsi_tracing = { path = "../itsi_tracing" }
 itsi_rb_helpers = { path = "../itsi_rb_helpers" }
@@ -18,7 +18,7 @@ itsi_error = { path = "../itsi_error" }
 itsi_instrument_entry = { path = "../itsi_instrument_entry" }
 parking_lot = "0.12.3"
 mio = { version = "1.0.3", features = ["os-poll", "os-ext"] }
-rb-sys = "0.9.105"
+rb-sys = "0.9.117"
 bytes = "1.10.1"
 nix = "0.29.0"
 tracing = "0.1.41"

data/ext/itsi_server/Cargo.toml

@@ -42,7 +42,7 @@ itsi_rb_helpers = { path = "../itsi_rb_helpers" }
 itsi_tracing = { path = "../itsi_tracing" }
 itsi_acme = { path = "../itsi_acme" }
 jsonwebtoken = "9.3.1"
-magnus = { version = "0.7.1", features = ["bytes", "rb-sys"] }
+magnus = { version = "0.8.2", features = ["bytes", "rb-sys"] }
 notify = { version = "8.0.0" }
 nix = { version = "0.29.0", features = [
   "socket",
@@ -72,7 +72,7 @@ rustls = "0.23.23"
 rustls-pemfile = "2.2.0"
 serde = "1.0.219"
 serde_json = "1.0.140"
-serde_magnus = "0.9.0"
+serde_magnus = "0.11.0"
 sha2 = "0.10.8"
 socket2 = "0.5.8"
 sysinfo = "0.33.1"

data/ext/itsi_server/src/lib.rs

@@ -7,7 +7,7 @@ pub mod ruby_types;
 pub mod server;
 pub mod services;
 
-use magnus::{error::Result, function, method, Module, Object, Ruby};
+use magnus::{error::Result, function, method, Class, Module, Object, Ruby};
 use prelude::*;
 use ruby_types::{
     itsi_body_proxy::ItsiBodyProxy, itsi_grpc_call::ItsiGrpcCall,
@@ -36,7 +36,8 @@ fn init(ruby: &Ruby) -> Result<()> {
     )?;
 
     let server = ruby.get_inner(&ITSI_SERVER);
-    server.define_singleton_method("new", function!(ItsiServer::new, 3))?;
+    server.define_alloc_func::<ItsiServer>();
+    server.define_method("initialize", method!(ItsiServer::initialize, 3))?;
     server.define_singleton_method("reset_signal_handlers", function!(reset_signal_handlers, 0))?;
     server.define_method("start", method!(ItsiServer::start, 0))?;
     server.define_method("stop", method!(ItsiServer::stop, 0))?;

data/ext/itsi_server/src/ruby_types/itsi_server.rs

@@ -13,26 +13,32 @@ use tracing::{info, instrument};
 mod file_watcher;
 pub mod itsi_server_config;
 #[magnus::wrap(class = "Itsi::Server", free_immediately, size)]
-#[derive(Clone)]
+#[derive(Clone, Default)]
 pub struct ItsiServer {
-    pub config: Arc<Mutex<Arc<ItsiServerConfig>>>,
+    pub config: Arc<Mutex<Option<Arc<ItsiServerConfig>>>>,
 }
 
 impl ItsiServer {
-    pub fn new(
-        ruby: &Ruby,
+    pub fn initialize(
+        &self,
         cli_params: RHash,
         itsifile_path: Option<PathBuf>,
         itsi_config_proc: Option<Proc>,
-    ) -> Result<Self> {
-        Ok(Self {
-            config: Arc::new(Mutex::new(Arc::new(ItsiServerConfig::new(
-                ruby,
-                cli_params,
-                itsifile_path,
-                itsi_config_proc,
-            )?))),
-        })
+    ) -> Result<()> {
+        let ruby = Ruby::get().map_err(|_| {
+            magnus::Error::new(
+                magnus::exception::runtime_error(),
+                "Failed to acquire Ruby VM handle",
+            )
+        })?;
+        let config = Arc::new(ItsiServerConfig::new(
+            &ruby,
+            cli_params,
+            itsifile_path,
+            itsi_config_proc,
+        )?);
+        *self.config.lock() = Some(config);
+        Ok(())
     }
 
     pub fn stop(&self) -> Result<()> {
@@ -40,10 +46,20 @@ impl ItsiServer {
         Ok(())
     }
 
+    fn config(&self) -> Result<Arc<ItsiServerConfig>> {
+        self.config.lock().as_ref().cloned().ok_or_else(|| {
+            magnus::Error::new(
+                magnus::exception::runtime_error(),
+                "Itsi::Server not initialized",
+            )
+        })
+    }
+
     #[instrument(skip(self))]
     pub fn start(&self) -> Result<()> {
-        self.config.lock().server_params.read().setup_listeners()?;
-        let result = if self.config.lock().server_params.read().silence {
+        let server_config = self.config()?;
+        server_config.server_params.read().setup_listeners()?;
+        let result = if server_config.server_params.read().silence {
             run_silently(|| self.build_and_run_strategy())
         } else {
             info!("Itsi - Rolling into action. ⚪💨");
@@ -60,11 +76,11 @@ impl ItsiServer {
     }
 
     pub(crate) fn build_strategy(&self) -> Result<ServeStrategy> {
-        let server_config = self.config.lock();
+        let server_config = self.config()?;
         Ok(if server_config.server_params.read().workers > 1 {
-            ServeStrategy::Cluster(Arc::new(ClusterMode::new(server_config.clone())))
+            ServeStrategy::Cluster(Arc::new(ClusterMode::new(server_config)))
         } else {
-            ServeStrategy::Single(Arc::new(SingleMode::new(server_config.clone(), 0)?))
+            ServeStrategy::Single(Arc::new(SingleMode::new(server_config, 0)?))
         })
     }
 

data/ext/itsi_server/src/server/frame_stream.rs

@@ -48,9 +48,10 @@ impl Stream for FrameStream {
                 if this.shutdown_rx.has_changed().unwrap_or(false)
                     && *this.shutdown_rx.borrow() == RunningPhase::ShutdownPending
                 {
-                    while let Ok(bytes) = this.receiver.try_recv() {
+                    if let Ok(bytes) = this.receiver.try_recv() {
                         return Poll::Ready(Some(Ok(bytes)));
                     }
+
                     this.drained = true;
                     return Poll::Ready(None);
                 }

data/ext/itsi_server/src/server/middleware_stack/middlewares/mod.rs

@@ -43,7 +43,7 @@ pub use error_response::ErrorResponse;
 pub use etag::ETag;
 pub use intrusion_protection::IntrusionProtection;
 pub use log_requests::LogRequests;
-use magnus::error::Result;
+use magnus::{error::Result, Ruby};
 use magnus::rb_sys::AsRawValue;
 use magnus::Value;
 pub use max_body::MaxBody;
@@ -88,7 +88,13 @@ pub trait FromValue: Sized + Send + Sync + 'static {
             }
         }
 
-        let deserialized: Arc<Self> = Arc::new(deserialize(value)?);
+        let ruby = Ruby::get().map_err(|_| {
+            magnus::Error::new(
+                magnus::exception::runtime_error(),
+                "Failed to acquire Ruby VM handle",
+            )
+        })?;
+        let deserialized: Arc<Self> = Arc::new(deserialize(&ruby, value)?);
         cache.insert(raw, deserialized.clone());
         Ok(deserialized)
     }

data/ext/itsi_server/src/server/middleware_stack/middlewares/static_assets.rs

@@ -27,6 +27,59 @@ use std::{
 };
 use tracing::debug;
 
+/// Compact representation of the client's Accept-Encoding preferences.
+/// Priority order is determined by the bit checks in `pick_encoding`.
+#[derive(Clone, Copy, Debug, Default)]
+struct AcceptEncodingMask(u8);
+
+impl AcceptEncodingMask {
+    const BR: u8 = 1 << 0;
+    const GZIP: u8 = 1 << 1;
+    const ZSTD: u8 = 1 << 2;
+    const DEFLATE: u8 = 1 << 3;
+
+    fn from_headers(headers: &[HeaderValue]) -> Self {
+        let mut mask = 0u8;
+
+        for hv in headers {
+            let Ok(s) = hv.to_str() else { continue };
+
+            // We intentionally ignore q-values and treat any mention as "acceptable".
+            // This is a fast-path optimization for common benchmark/client headers.
+            for part in s.split(',') {
+                let token = part.split(';').next().unwrap_or("").trim();
+                match token {
+                    "br" => mask |= Self::BR,
+                    "gzip" => mask |= Self::GZIP,
+                    "zstd" => mask |= Self::ZSTD,
+                    "deflate" => mask |= Self::DEFLATE,
+                    _ => {}
+                }
+            }
+        }
+
+        Self(mask)
+    }
+
+    fn pick_encoding(self) -> Option<&'static str> {
+        // Prefer stronger/faster compression if available.
+        // (Actual availability is checked by the file server.)
+        if (self.0 & Self::ZSTD) != 0 {
+            return Some("zstd");
+        }
+        if (self.0 & Self::BR) != 0 {
+            return Some("br");
+        }
+        if (self.0 & Self::GZIP) != 0 {
+            return Some("gzip");
+        }
+        if (self.0 & Self::DEFLATE) != 0 {
+            return Some("deflate");
+        }
+        None
+    }
+}
+
 #[derive(Debug, Deserialize)]
 pub struct StaticAssets {
     pub root_dir: PathBuf,
@@ -98,7 +151,10 @@ impl MiddlewareLayer for StaticAssets {
             return Ok(Either::Left(req));
         }
 
+        // We still populate the context cache for any other middleware that might want it,
+        // but we avoid re-parsing Accept-Encoding later by computing a compact mask here.
         context.set_supported_encoding_set(&req);
+
         let abs_path = req.uri().path();
         let rel_path = if !self.relative_path {
             abs_path.trim_start_matches("/")
@@ -119,7 +175,6 @@ impl MiddlewareLayer for StaticAssets {
         };
 
         debug!(target: "middleware::static_assets", "Asset path is {}", rel_path);
-        // Determine if this is a HEAD request
         let is_head_request = req.method() == Method::HEAD;
 
         // Extract range and if-modified-since headers
@@ -135,6 +190,22 @@ impl MiddlewareLayer for StaticAssets {
         let encodings: &[HeaderValue] = context
             .supported_encoding_set()
             .map_or(&[], |set| set.as_slice());
+
+        // Compute a fast encoding preference and narrow the encoding list we hand to the server.
+        // This avoids repeated per-request string splitting/trim in the static file server.
+        let mask = AcceptEncodingMask::from_headers(encodings);
+        let preferred = mask.pick_encoding();
+
+        let narrowed: [HeaderValue; 1];
+        let encodings_for_server: &[HeaderValue] = if let Some(token) = preferred {
+            // Safe: these are valid header values and the file server only needs to see
+            // a minimal representation to pick a cached variant.
+            narrowed = [HeaderValue::from_static(token)];
+            &narrowed
+        } else {
+            &[]
+        };
+
         let response = file_server
             .serve(
                 &req,
@@ -143,7 +214,7 @@ impl MiddlewareLayer for StaticAssets {
                 serve_range,
                 if_modified_since,
                 is_head_request,
-                encodings,
+                encodings_for_server,
             )
             .await;
 
@@ -156,40 +227,38 @@ impl MiddlewareLayer for StaticAssets {
 }
 
 fn parse_range_header(headers: &HeaderMap) -> ServeRange {
-    let range_header = headers.get(RANGE);
-    if range_header.is_none() {
+    let Some(range_header) = headers.get(RANGE) else {
         return ServeRange::Full;
-    }
-    let range_header = range_header.unwrap().to_str().unwrap_or("");
+    };
+
+    let range_header = range_header.to_str().unwrap_or("");
     let bytes_prefix = "bytes=";
     if !range_header.starts_with(bytes_prefix) {
         return ServeRange::Full;
     }
 
-    let range_str = &range_header[bytes_prefix.len()..];
-
-    let range_parts: Vec<&str> = range_str
+    // Only consider the first range specifier, ignore multi-range requests.
+    let range_str = range_header[bytes_prefix.len()..]
         .split(',')
         .next()
-        .unwrap_or("")
-        .split('-')
-        .collect();
-    if range_parts.len() != 2 {
+        .unwrap_or("");
+
+    let Some((start_str, end_str)) = range_str.split_once('-') else {
         return ServeRange::Full;
-    }
+    };
 
-    let start = if range_parts[0].is_empty() {
-        range_parts[1].parse::<u64>().unwrap_or(0)
-    } else if let Ok(start) = range_parts[0].parse::<u64>() {
+    let start = if start_str.is_empty() {
+        end_str.parse::<u64>().unwrap_or(0)
+    } else if let Ok(start) = start_str.parse::<u64>() {
         start
     } else {
         return ServeRange::Full;
     };
 
-    let end = if range_parts[1].is_empty() {
-        u64::MAX // Use u64::MAX as sentinel for open-ended ranges
-    } else if let Ok(end) = range_parts[1].parse::<u64>() {
-        end // No conversion needed, already u64
+    let end = if end_str.is_empty() {
+        u64::MAX // sentinel for open-ended ranges
+    } else if let Ok(end) = end_str.parse::<u64>() {
+        end
     } else {
         return ServeRange::Full;
     };

data/ext/itsi_server/src/services/password_hasher.rs

@@ -4,7 +4,7 @@ use argon2::{
 };
 
 use itsi_error::ItsiError;
-use magnus::{error::Result, Value};
+use magnus::{error::Result, Ruby, Value};
 use serde::Deserialize;
 use serde_magnus::deserialize;
 use sha_crypt::{
@@ -26,7 +26,13 @@ pub enum HashAlgorithm {
 }
 
 pub fn create_password_hash(password: String, algo: Value) -> Result<String> {
-    let hash_algorithm: HashAlgorithm = deserialize(algo)?;
+    let ruby = Ruby::get().map_err(|_| {
+        magnus::Error::new(
+            magnus::exception::runtime_error(),
+            "Failed to acquire Ruby VM handle",
+        )
+    })?;
+    let hash_algorithm: HashAlgorithm = deserialize(&ruby, algo)?;
     match hash_algorithm {
         HashAlgorithm::Bcrypt => {
             // Use the bcrypt crate for password hashing.

data/ext/itsi_server/src/services/rate_limiter.rs

@@ -6,9 +6,11 @@ use redis::{Client, RedisError, Script};
 use serde::Deserialize;
 use std::any::Any;
 use std::collections::{HashMap, HashSet};
+use std::fmt::Write as _;
 use std::result::Result;
+use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, LazyLock};
-use std::time::{Duration, Instant};
+use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use tokio::sync::Mutex as AsyncMutex;
 use tokio::time::timeout;
 use tracing::warn;
@@ -303,27 +305,37 @@ impl RateLimiter for InMemoryRateLimiter {
 
         let mut entries = self.entries.write();
 
-        let entry = entries
-            .entry(key.to_string())
-            .or_insert_with(|| RateLimitEntry {
-                count: 0,
-                expires_at: now + timeout,
-            });
+        // Avoid per-request allocation: only allocate a String when inserting a new key.
+        //
+        // NOTE: we use `get_mut` first because `HashMap::entry` for `HashMap<String, _>`
+        // requires an owned `String`, which would allocate on every request.
+        if let Some(entry) = entries.get_mut(key) {
+            if entry.expires_at < now {
+                entry.expires_at = now + timeout;
+                entry.count = 1;
+            } else {
+                entry.count += 1;
+            }
+
+            let ttl = if entry.expires_at > now {
+                entry.expires_at.duration_since(now).as_secs()
+            } else {
+                0
+            };
 
-        if entry.expires_at < now {
-            entry.expires_at = now + timeout;
-            entry.count = 1;
-        } else {
-            entry.count += 1;
+            return Ok((entry.count, ttl));
         }
 
-        let ttl = if entry.expires_at > now {
-            entry.expires_at.duration_since(now).as_secs()
-        } else {
-            0
-        };
+        // Insert path: allocate once for the new key.
+        entries.insert(
+            key.to_owned(),
+            RateLimitEntry {
+                count: 1,
+                expires_at: now + timeout,
+            },
+        );
 
-        Ok((entry.count, ttl))
+        Ok((1, timeout.as_secs()))
     }
 
     async fn check_limit(
@@ -378,14 +390,49 @@ impl BanManager {
 }
 
 /// Utility function to create a rate limit key for a specific minute
-pub fn create_rate_limit_key(api_key: &str, resource: &str) -> String {
-    // Get the current minute number (0-59)
-    let now = std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .unwrap_or_default();
+static CACHED_MINUTE_BUCKET_SECS: AtomicU64 = AtomicU64::new(0);
+static CACHED_MINUTE_BUCKET: AtomicU64 = AtomicU64::new(0);
+
+#[inline]
+fn cached_minute_bucket() -> u64 {
+    // Cache the computed minute bucket and only refresh at most once per second.
+    // This avoids a syscall and divisions/mods on every request, while preserving
+    // the exact same value as the previous implementation.
+    let now_secs = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs();
+
+    let last = CACHED_MINUTE_BUCKET_SECS.load(Ordering::Relaxed);
+    if last != now_secs {
+        let minutes = (now_secs / 60) % 60;
+        CACHED_MINUTE_BUCKET.store(minutes, Ordering::Relaxed);
+        CACHED_MINUTE_BUCKET_SECS.store(now_secs, Ordering::Relaxed);
+        minutes
+    } else {
+        CACHED_MINUTE_BUCKET.load(Ordering::Relaxed)
+    }
+}
 
-    let minutes = now.as_secs() / 60 % 60;
-    format!("ratelimit:{}:{}:{}", api_key, resource, minutes)
+pub fn create_rate_limit_key(api_key: &str, resource: &str) -> String {
+    let minutes = cached_minute_bucket();
+
+    // Build the exact same string as:
+    // format!("ratelimit:{}:{}:{}", api_key, resource, minutes)
+    // but avoid `format!` machinery and minimize reallocations.
+    let mut s = String::with_capacity(
+        "ratelimit:".len() + api_key.len() + 1 + resource.len() + 1 + 2, // minutes is 0-59
+    );
+
+    s.push_str("ratelimit:");
+    s.push_str(api_key);
+    s.push(':');
+    s.push_str(resource);
+    s.push(':');
+    // u64->decimal without intermediate allocation
+    let _ = write!(&mut s, "{}", minutes);
+
+    s
 }
 
 /// Utility function to create a ban key for an IP address