reactive-actions 0.1.0.pre.alpha.2 → 0.1.0.pre.alpha.3

data/app/controllers/reactive_actions/reactive_actions_controller.rb

@@ -4,6 +4,9 @@ module ReactiveActions
   # Main controller for handling reactive action requests
   # Processes action execution and manages error handling for the ReactiveActions engine
   class ReactiveActionsController < ApplicationController
+    # Include rate limiting functionality
+    include ReactiveActions::Controller::RateLimiter
+
     # Allow this action to handle any HTTP method
     def execute
       ReactiveActions.logger.info "ReactiveActionsController#execute[#{request.method}]: #{params.inspect}"
@@ -118,7 +121,8 @@ module ReactiveActions
         'MissingParameterError' => [:bad_request, 'MISSING_PARAMETER'],
         'InvalidParametersError' => [:bad_request, 'INVALID_PARAMETERS'],
         'UnauthorizedError' => [:forbidden, 'UNAUTHORIZED'],
-        'ActionExecutionError' => [:unprocessable_entity, 'EXECUTION_ERROR']
+        'ActionExecutionError' => [:unprocessable_entity, 'EXECUTION_ERROR'],
+        'RateLimitExceededError' => [:too_many_requests, 'RATE_LIMIT_EXCEEDED']
       }
 
       error_type = exception.class.name.demodulize

data/lib/generators/reactive_actions/install/install_generator.rb

@@ -31,6 +31,16 @@ module ReactiveActions
       class_option :quiet, type: :boolean, default: false,
                            desc: 'Run with minimal output'
 
+      # Rate limiting options
+      class_option :enable_rate_limiting, type: :boolean, default: false,
+                                          desc: 'Enable rate limiting features'
+      class_option :enable_global_rate_limiting, type: :boolean, default: false,
+                                                 desc: 'Enable global controller-level rate limiting'
+      class_option :global_rate_limit, type: :numeric, default: 600,
+                                       desc: 'Global rate limit (requests per window)'
+      class_option :global_rate_limit_window, type: :string, default: '1.minute',
+                                              desc: 'Global rate limit window (e.g., "1.minute", "5.minutes")'
+
       def welcome_message
         return if options[:quiet]
 
@@ -39,24 +49,25 @@ module ReactiveActions
         say ''
       end
 
+      def gather_configuration
+        # Gather all configuration before creating files
+        setup_rate_limiting_configuration_for_initializer
+      end
+
       def create_initializer
-        if options[:quiet] || yes?('Create ReactiveActions initializer? (recommended)', :green)
-          template 'initializer.rb', 'config/initializers/reactive_actions.rb'
-          say '✓ Created initializer', :green unless options[:quiet]
-        else
-          say '✗ Skipped initializer creation', :yellow
-        end
+        return unless options[:quiet] || yes?('Create ReactiveActions initializer? (recommended)', :green)
+
+        template 'initializer.rb', 'config/initializers/reactive_actions.rb'
+        say '✓ Created initializer', :green unless options[:quiet]
       end
 
       def create_actions_directory
-        if options[:quiet] || yes?('Create app/reactive_actions directory?', :green)
-          empty_directory 'app/reactive_actions'
-          say '✓ Created actions directory', :green unless options[:quiet]
+        return unless options[:quiet] || yes?('Create app/reactive_actions directory?', :green)
 
-          ask_for_example_action unless options[:skip_example]
-        else
-          say '✗ Skipped actions directory creation', :yellow
-        end
+        empty_directory 'app/reactive_actions'
+        say '✓ Created actions directory', :green unless options[:quiet]
+
+        ask_for_example_action unless options[:skip_example]
       end
 
       def configure_routes
@@ -72,14 +83,11 @@ module ReactiveActions
       def configure_javascript
         return if options[:skip_javascript]
         return unless javascript_needed?
+        return unless options[:quiet] || yes?('Add ReactiveActions JavaScript client?', :green)
 
-        if options[:quiet] || yes?('Add ReactiveActions JavaScript client?', :green)
-          add_javascript_to_importmap
-          add_javascript_initialization
-          say '✓ Added JavaScript client with initialization', :green unless options[:quiet]
-        else
-          say '✗ Skipped JavaScript configuration', :yellow
-        end
+        add_javascript_to_importmap
+        add_javascript_initialization
+        say '✓ Added JavaScript client with initialization', :green unless options[:quiet]
       end
 
       def javascript_configuration_options
@@ -89,6 +97,19 @@ module ReactiveActions
         configure_javascript_options
       end
 
+      def rate_limiting_configuration
+        # Show rate limiting configuration summary if it was configured
+        return unless @rate_limiting_config && @rate_limiting_config[:rate_limiting_enabled] && !options[:quiet]
+
+        say '', :green
+        say '✓ Rate limiting configured:', :green
+        say "  - Rate limiting: #{@rate_limiting_config[:rate_limiting_enabled] ? 'ENABLED' : 'DISABLED'}", :blue
+        say "  - Global rate limiting: #{@rate_limiting_config[:global_rate_limiting_enabled] ? 'ENABLED' : 'DISABLED'}", :blue
+        return unless @rate_limiting_config[:global_rate_limiting_enabled]
+
+        say "  - Global limit: #{@rate_limiting_config[:global_rate_limit]} requests per #{@rate_limiting_config[:global_rate_limit_window]}", :blue
+      end
+
       def configuration_options
         return if options[:quiet]
         return unless yes?('Configure advanced options?', :green)
@@ -110,6 +131,62 @@ module ReactiveActions
 
       private
 
+      def setup_rate_limiting_configuration_for_initializer
+        if rate_limiting_options_provided?
+          configure_rate_limiting_from_options_quietly
+        elsif !options[:quiet] && ask_about_rate_limiting?
+          configure_rate_limiting_interactively
+        else
+          @rate_limiting_config = {}
+        end
+      end
+
+      def rate_limiting_options_provided?
+        options[:enable_rate_limiting] || options[:enable_global_rate_limiting]
+      end
+
+      def ask_about_rate_limiting?
+        yes?('Configure rate limiting? (optional but recommended for production)', :green)
+      end
+
+      def configure_rate_limiting_from_options_quietly
+        @rate_limiting_config = {
+          rate_limiting_enabled: options[:enable_rate_limiting] || options[:enable_global_rate_limiting],
+          global_rate_limiting_enabled: options[:enable_global_rate_limiting]
+        }
+
+        return unless options[:enable_global_rate_limiting]
+
+        @rate_limiting_config[:global_rate_limit] = options[:global_rate_limit]
+        @rate_limiting_config[:global_rate_limit_window] = options[:global_rate_limit_window]
+      end
+
+      def configure_rate_limiting_interactively
+        @rate_limiting_config = {}
+
+        enable_rate_limiting = yes?('Enable rate limiting features?', :green)
+        @rate_limiting_config[:rate_limiting_enabled] = enable_rate_limiting
+        return unless enable_rate_limiting
+
+        enable_global = yes?('Enable global controller-level rate limiting? (recommended)', :green)
+        @rate_limiting_config[:global_rate_limiting_enabled] = enable_global
+
+        return unless enable_global
+
+        limit = ask('Global rate limit (requests per window):', default: 600)
+        @rate_limiting_config[:global_rate_limit] = limit.to_i
+
+        window = ask('Global rate limit window:',
+                     limited_to: %w[30.seconds 1.minute 5.minutes 15.minutes 1.hour],
+                     default: '1.minute')
+        @rate_limiting_config[:global_rate_limit_window] = window
+
+        return unless yes?('Configure custom rate limit key generator? (advanced)', :green)
+
+        say 'You can customize how rate limit keys are generated in the initializer.'
+        @rate_limiting_config[:custom_key_generator] = true
+      end
+
       def should_skip_example_action?
         return true if options[:skip_example]
         return true if !options[:quiet] && !yes?('Generate example action file?', :green)
@@ -192,26 +269,11 @@ module ReactiveActions
         app_js_path = app_js_paths.find { |path| File.exist?(path) }
 
         if app_js_path
-          # Check if ReactiveActions is already configured
           app_js_content = File.read(app_js_path)
           return if app_js_content.include?('ReactiveActions') || app_js_content.include?('reactive_actions')
 
-          # Generate JavaScript initialization code
           js_config = generate_javascript_config
-
-          js_code = <<~JAVASCRIPT
-
-            // Import and initialize ReactiveActions
-            import ReactiveActionsClient from "reactive_actions"
-
-            // Create and configure ReactiveActions instance
-            const reactiveActions = new ReactiveActionsClient(#{js_config});
-
-            #{generate_initialization_code}
-
-            // Make ReactiveActions globally available
-            window.ReactiveActions = reactiveActions;
-          JAVASCRIPT
+          js_code = build_javascript_code(js_config)
 
           append_to_file app_js_path, js_code
           say "✓ Added ReactiveActions initialization to #{app_js_path}", :green unless options[:quiet]
@@ -222,12 +284,9 @@ module ReactiveActions
 
       def generate_javascript_config
         config = {}
-
-        # Add mount path if different from default
         mount_path = determine_mount_path || options[:mount_path]
         config[:baseUrl] = "#{mount_path}/execute" if mount_path != '/reactive_actions'
 
-        # Add configuration options
         config[:enableAutoBinding] = javascript_option_value(:enable_dom_binding)
         config[:enableMutationObserver] = javascript_option_value(:enable_mutation_observer)
         config[:defaultHttpMethod] = javascript_option_value(:default_http_method, 'POST')
@@ -240,6 +299,22 @@ module ReactiveActions
         config.empty? ? '{}' : JSON.pretty_generate(config)
       end
 
+      def build_javascript_code(js_config)
+        <<~JAVASCRIPT
+
+          // Import and initialize ReactiveActions
+          import ReactiveActionsClient from "reactive_actions"
+
+          // Create and configure ReactiveActions instance
+          const reactiveActions = new ReactiveActionsClient(#{js_config});
+
+          #{generate_initialization_code}
+
+          // Make ReactiveActions globally available
+          window.ReactiveActions = reactiveActions;
+        JAVASCRIPT
+      end
+
       def generate_initialization_code
         if javascript_option_value(:auto_initialize)
           <<~JAVASCRIPT.strip
@@ -249,10 +324,7 @@ module ReactiveActions
             document.addEventListener('turbo:frame-load', () => reactiveActions.initialize());
           JAVASCRIPT
         else
-          <<~JAVASCRIPT.strip
-            // Manual initialization - call reactiveActions.initialize() when ready
-            // Example: reactiveActions.initialize();
-          JAVASCRIPT
+          '// Manual initialization - call reactiveActions.initialize() when ready'
         end
       end
 
@@ -271,22 +343,17 @@ module ReactiveActions
       def configure_javascript_options
         return unless yes?('Configure JavaScript client options?', :green)
 
-        # Auto-initialize option
-        auto_init = yes?('Auto-initialize ReactiveActions on page load? (recommended)', :green)
         @javascript_options ||= {}
-        @javascript_options[:auto_initialize] = auto_init
+        @javascript_options[:auto_initialize] = yes?('Auto-initialize ReactiveActions on page load? (recommended)', :green)
 
-        # DOM binding option
         enable_dom = yes?('Enable automatic DOM binding? (recommended)', :green)
         @javascript_options[:enable_dom_binding] = enable_dom
 
-        # Mutation observer option
         if enable_dom
           enable_observer = yes?('Enable mutation observer for dynamic content? (recommended)', :green)
           @javascript_options[:enable_mutation_observer] = enable_observer
         end
 
-        # Default HTTP method
         http_methods = %w[POST GET PUT PATCH DELETE]
         default_method = ask('Default HTTP method:', limited_to: http_methods, default: 'POST')
         @javascript_options[:default_http_method] = default_method unless default_method == 'POST'
@@ -295,9 +362,7 @@ module ReactiveActions
       def add_to_sprockets_manifest
         return unless File.exist?('app/assets/config/manifest.js')
 
-        append_to_file 'app/assets/config/manifest.js' do
-          "\n//= link reactive_actions.js\n"
-        end
+        append_to_file 'app/assets/config/manifest.js', "\n//= link reactive_actions.js\n"
       end
 
       def configure_delegated_methods
@@ -352,6 +417,11 @@ module ReactiveActions
         template 'example_action.rb', "app/reactive_actions/#{sanitized_name}.rb"
         say "✓ Created #{sanitized_name}.rb", :green unless options[:quiet]
       end
+
+      # Template method to access rate limiting config in templates
+      def rate_limiting_config
+        @rate_limiting_config || {}
+      end
     end
   end
 end

data/lib/generators/reactive_actions/install/templates/initializer.rb

@@ -7,6 +7,51 @@ ReactiveActions.configure do |config|
 
   # Configure instance variables to delegate from the controller to action classes
   # config.delegated_instance_variables += [:custom_variable]
+
+  # Rate Limiting Configuration
+  # ============================
+  
+<% if rate_limiting_config[:rate_limiting_enabled] -%>
+  # Rate limiting is enabled
+  config.rate_limiting_enabled = true
+
+<% if rate_limiting_config[:global_rate_limiting_enabled] -%>
+  # Global controller-level rate limiting is enabled
+  config.global_rate_limiting_enabled = true
+  config.global_rate_limit = <%= rate_limiting_config[:global_rate_limit] || 600 %>
+  config.global_rate_limit_window = <%= rate_limiting_config[:global_rate_limit_window] || '1.minute' %>
+
+<% else -%>
+  # Global rate limiting is disabled
+  config.global_rate_limiting_enabled = false
+
+<% end -%>
+<% if rate_limiting_config[:custom_key_generator] -%>
+  # Custom rate limit key generator
+  # Uncomment and customize as needed:
+  # config.rate_limit_key_generator = ->(request, action_name) do
+  #   # Example: user-based key with action scope
+  #   user_id = request.headers['X-User-ID'] || 'anonymous'
+  #   "#{action_name}:user:#{user_id}"
+  # end
+
+<% end -%>
+<% else -%>
+  # Rate limiting is disabled by default
+  # To enable rate limiting, uncomment and configure:
+  # config.rate_limiting_enabled = true
+  # config.global_rate_limiting_enabled = true
+  # config.global_rate_limit = 600
+  # config.global_rate_limit_window = 1.minute
+  
+  # Custom rate limit key generator (optional)
+  # config.rate_limit_key_generator = ->(request, action_name) do
+  #   # Example: user-based key with action scope
+  #   user_id = request.headers['X-User-ID'] || 'anonymous'
+  #   "#{action_name}:user:#{user_id}"
+  # end
+
+<% end -%>
 end
 
 # Set the logger for ReactiveActions
@@ -24,4 +69,4 @@ ReactiveActions.logger = Rails.logger
 #   defaultHttpMethod: 'POST'
 # }).reinitialize();
 #
-# Available globally as window.ReactiveActions
+# Available globally as window.ReactiveActions

data/lib/reactive_actions/concerns/rate_limiter.rb

@@ -0,0 +1,174 @@
+# frozen_string_literal: true
+
+module ReactiveActions
+  module Concerns
+    # Rate limiting module for ReactiveActions that can be included in actions or other classes
+    # Provides convenient methods for checking and managing rate limits
+    module RateLimiter
+      # Helper method for rate limiting in security checks or actions
+      # Automatically respects the global rate_limiting_enabled setting
+      # @param key [String, nil] Custom cache key, uses default if nil
+      # @param limit [Integer] Maximum number of requests allowed
+      # @param window [ActiveSupport::Duration] Time window for the limit
+      # @param cost [Integer] Cost of this request (default: 1)
+      # @raise [RateLimitExceededError] When rate limit is exceeded
+      def rate_limit!(key: nil, limit: 100, window: 1.hour, cost: 1)
+        # Early return if rate limiting is disabled
+        return unless ReactiveActions.configuration.rate_limiting_enabled
+
+        effective_key = key || default_rate_limit_key
+
+        ReactiveActions::RateLimiter.check!(
+          key: effective_key,
+          limit: limit,
+          window: window,
+          cost: cost
+        )
+      end
+
+      # Check rate limit without raising an error (also respects configuration)
+      # @param key [String, nil] Custom cache key, uses default if nil
+      # @param limit [Integer] Maximum number of requests allowed
+      # @param window [ActiveSupport::Duration] Time window for the limit
+      # @return [Hash] Rate limit status information
+      def rate_limit_status(key: nil, limit: 100, window: 1.hour)
+        # Return "unlimited" status if rate limiting is disabled
+        unless ReactiveActions.configuration.rate_limiting_enabled
+          return {
+            limit: Float::INFINITY,
+            remaining: Float::INFINITY,
+            current: 0,
+            window: window,
+            exceeded: false,
+            enabled: false
+          }
+        end
+
+        effective_key = key || default_rate_limit_key
+
+        ReactiveActions::RateLimiter.check(
+          key: effective_key,
+          limit: limit,
+          window: window
+        ).merge(enabled: true)
+      end
+
+      # Reset rate limit for a specific key
+      # @param key [String, nil] Custom cache key, uses default if nil
+      # @param window [ActiveSupport::Duration] Time window for the limit
+      def reset_rate_limit!(key: nil, window: 1.hour)
+        return unless ReactiveActions.configuration.rate_limiting_enabled
+
+        effective_key = key || default_rate_limit_key
+
+        ReactiveActions::RateLimiter.reset!(
+          key: effective_key,
+          window: window
+        )
+      end
+
+      # Check if rate limiting is currently enabled
+      # @return [Boolean] True if rate limiting is enabled
+      def rate_limiting_enabled?
+        ReactiveActions.configuration.rate_limiting_enabled
+      end
+
+      # Get remaining requests for a specific key without consuming any
+      # @param key [String, nil] Custom cache key, uses default if nil
+      # @param limit [Integer] Maximum number of requests allowed
+      # @param window [ActiveSupport::Duration] Time window for the limit
+      # @return [Integer, Float] Number of remaining requests, or Float::INFINITY if disabled
+      def rate_limit_remaining(key: nil, limit: 100, window: 1.hour)
+        status = rate_limit_status(key: key, limit: limit, window: window)
+        status[:remaining]
+      end
+
+      # Check if a key would exceed rate limit for a given cost
+      # @param key [String, nil] Custom cache key, uses default if nil
+      # @param limit [Integer] Maximum number of requests allowed
+      # @param window [ActiveSupport::Duration] Time window for the limit
+      # @param cost [Integer] Cost to check (default: 1)
+      # @return [Boolean] True if the cost would exceed the limit
+      def rate_limit_would_exceed?(key: nil, limit: 100, window: 1.hour, cost: 1)
+        return false unless ReactiveActions.configuration.rate_limiting_enabled
+
+        status = rate_limit_status(key: key, limit: limit, window: window)
+        status[:remaining] < cost
+      end
+
+      # Create a rate limit key for a specific scope
+      # @param scope [String, Symbol] The scope (e.g., 'api', 'search', 'upload')
+      # @param identifier [String, nil] Custom identifier, uses default if nil
+      # @return [String] Formatted rate limit key
+      def rate_limit_key_for(scope, identifier: nil)
+        base_key = identifier || extract_identifier_from_context
+        "#{scope}:#{base_key}"
+      end
+
+      # Log rate limiting events for debugging/monitoring
+      # @param event [String] Event type (e.g., 'exceeded', 'checked', 'reset')
+      # @param details [Hash] Additional details to log
+      def log_rate_limit_event(event, details = {})
+        return unless ReactiveActions.logger
+
+        ReactiveActions.logger.info(
+          "Rate Limit #{event.capitalize}: #{details.merge(key: default_rate_limit_key)}"
+        )
+      end
+
+      private
+
+      # Default key generation for rate limiting
+      # This method tries different approaches to generate a meaningful key
+      # @return [String] A rate limit key
+      def default_rate_limit_key
+        # Try different methods to get a meaningful identifier
+        if respond_to?(:current_user) && current_user
+          "user:#{current_user.id}"
+        elsif respond_to?(:controller) && controller.respond_to?(:request)
+          extract_key_from_request(controller.request)
+        elsif respond_to?(:request) && request
+          extract_key_from_request(request)
+        else
+          "anonymous:#{SecureRandom.hex(8)}"
+        end
+      end
+
+      # Extract identifier from current context (user, request, etc.)
+      # @return [String] An identifier for the current context
+      def extract_identifier_from_context
+        if respond_to?(:current_user) && current_user
+          current_user.id.to_s
+        elsif respond_to?(:controller) && controller.respond_to?(:request)
+          controller.request.remote_ip
+        elsif respond_to?(:request) && request
+          request.remote_ip
+        else
+          'unknown'
+        end
+      end
+
+      # Extract a rate limiting key from a request object
+      # @param request [ActionDispatch::Request] The request object
+      # @return [String] A rate limit key based on the request
+      def extract_key_from_request(request)
+        # Try to get user info from headers first
+        if request.headers['X-User-ID'].present?
+          "user:#{request.headers['X-User-ID']}"
+        elsif request.headers['Authorization'].present?
+          # Extract from API token/key
+          auth_header = request.headers['Authorization']
+          if auth_header.start_with?('Bearer ')
+            token = auth_header.gsub('Bearer ', '')
+            "token:#{Digest::SHA256.hexdigest(token)[0..8]}" # Hash for privacy
+          else
+            "auth:#{request.remote_ip}"
+          end
+        else
+          # Fallback to IP address
+          "ip:#{request.remote_ip}"
+        end
+      end
+    end
+  end
+end

data/lib/reactive_actions/concerns/security_checks.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module ReactiveActions
+  module Concerns
+    # Security checks module that provides simple security filtering with function names or lambdas
+    module SecurityChecks
+      extend ActiveSupport::Concern
+
+      included do
+        class_attribute :security_filters, default: []
+      end
+
+      class_methods do
+        # Add a security check that runs before the action
+        #
+        # @param check [Symbol, Proc] The method name or lambda to execute
+        # @param options [Hash] Conditions for when to run the check
+        # @option options [Symbol, Array<Symbol>] :only Run only for these actions
+        # @option options [Symbol, Array<Symbol>] :except Skip for these actions
+        # @option options [Symbol, Proc] :if Run only if condition is true
+        # @option options [Symbol, Proc] :unless Skip if condition is true
+        def security_check(check, **options)
+          self.security_filters = security_filters + [{ check: check, **options }]
+        end
+
+        # Skip all security checks for this action
+        def skip_security_checks
+          self.security_filters = []
+        end
+      end
+
+      private
+
+      # Run all configured security checks
+      def run_security_checks
+        self.class.security_filters.each do |filter_config|
+          next unless should_run_security_check?(filter_config)
+
+          execute_security_check(filter_config[:check])
+        end
+      end
+
+      # Determine if a security check should run based on conditions
+      def should_run_security_check?(filter_config)
+        return false unless check_only_condition(filter_config[:only])
+        return false if check_except_condition(filter_config[:except])
+        return false unless check_if_condition(filter_config[:if])
+        return false if check_unless_condition(filter_config[:unless])
+
+        true
+      end
+
+      def check_only_condition(only_condition)
+        return true unless only_condition
+
+        only_actions = Array(only_condition).map(&:to_s)
+        only_actions.include?('action')
+      end
+
+      def check_except_condition(except_condition)
+        return false unless except_condition
+
+        except_actions = Array(except_condition).map(&:to_s)
+        except_actions.include?('action')
+      end
+
+      def check_if_condition(if_condition)
+        return true unless if_condition
+
+        evaluate_condition(if_condition)
+      end
+
+      def check_unless_condition(unless_condition)
+        return false unless unless_condition
+
+        evaluate_condition(unless_condition)
+      end
+
+      def evaluate_condition(condition)
+        if condition.is_a?(Proc)
+          instance_exec(&condition)
+        elsif condition.is_a?(Symbol)
+          send(condition)
+        else
+          false
+        end
+      end
+
+      # Execute a single security check
+      def execute_security_check(check)
+        if check.is_a?(Proc)
+          instance_exec(&check)
+        elsif check.is_a?(Symbol)
+          send(check)
+        else
+          raise ReactiveActions::SecurityCheckError, "Invalid security check: #{check.inspect}"
+        end
+      rescue ReactiveActions::Error
+        # Re-raise ReactiveActions errors as-is
+        raise
+      rescue StandardError => e
+        # Convert other errors to security errors
+        ReactiveActions.logger.error "Security check failed in #{self.class.name}: #{e.message}"
+        raise ReactiveActions::SecurityCheckError, "Security check failed: #{e.message}"
+      end
+    end
+  end
+end

data/lib/reactive_actions/configuration.rb

@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 
-# ReactiveActions module provides functionality for creating and executing reactive actions in Rails applications
+# ReactiveActions provides functionality for creating and executing reactive actions in Rails applications
 module ReactiveActions
   # Configuration class for ReactiveActions
-  # Manages settings for controller method delegation and instance variable delegation
+  # Manages settings for controller method delegation, instance variable delegation, and rate limiting
   class Configuration
-    attr_accessor :delegated_controller_methods, :delegated_instance_variables
+    attr_accessor :delegated_controller_methods, :delegated_instance_variables, :global_rate_limit, :global_rate_limit_window, :rate_limit_key_generator, :rate_limit_cost_calculator
+
+    # Rate limiting configuration
+    attr_accessor :rate_limiting_enabled, :global_rate_limiting_enabled
 
     def initialize
       # Default methods to delegate
@@ -16,6 +19,23 @@ module ReactiveActions
 
       # Default instance variables to delegate
       @delegated_instance_variables = []
+
+      # Rate limiting defaults - DISABLED by default
+      @rate_limiting_enabled = false           # Master switch for all rate limiting
+      @global_rate_limiting_enabled = false    # Global controller-level rate limiting
+      @global_rate_limit = 600                 # 600 requests per minute (10/second)
+      @global_rate_limit_window = 1.minute     # per minute for responsive rate limiting
+      @rate_limit_key_generator = nil          # Use default logic if nil
+      @rate_limit_cost_calculator = nil        # Use default cost of 1 if nil
+    end
+
+    # Helper methods for checking rate limiting status
+    def rate_limiting_available?
+      @rate_limiting_enabled
+    end
+
+    def global_rate_limiting_active?
+      @rate_limiting_enabled && @global_rate_limiting_enabled
     end
   end