Merge pull request 'feat(editor): page templates — live whole-page embed (MVP)' (#17) from feat/page-templates into develop

2026-06-20 20:34:44 +03:00
parent 7a03321d43 e9e9f74ec6
commit 19ae6a0efa
46 changed files with 2042 additions and 189 deletions
--- a/apps/server/src/integrations/throttle/throttle.module.ts
+++ b/apps/server/src/integrations/throttle/throttle.module.ts
@@ -7,6 +7,7 @@ import { parseRedisUrl } from '../../common/helpers';
 import {
  AUTH_THROTTLER,
  AI_CHAT_THROTTLER,
+  PAGE_TEMPLATE_THROTTLER,
  PUBLIC_SHARE_AI_THROTTLER,
 } from './throttler-names';
 import Redis from 'ioredis';
@@ -22,6 +23,11 @@ import Redis from 'ioredis';
          throttlers: [
            { name: AUTH_THROTTLER, ttl: 60_000, limit: 10 },
            { name: AI_CHAT_THROTTLER, ttl: 60_000, limit: 25 },
+            // Whole-page template lookup returns full ProseMirror docs for up
+            // to 50 ids per call and the embed depth cap is client-side only, so
+            // a scripted client could drive heavy content fan-out. 30 req/min
+            // per user is plenty for legitimate render-time batched lookups.
+            { name: PAGE_TEMPLATE_THROTTLER, ttl: 60_000, limit: 30 },
            // Anonymous public-share assistant: ~5 req/min per IP.
            { name: PUBLIC_SHARE_AI_THROTTLER, ttl: 60_000, limit: 5 },
          ],
--- a/apps/server/src/integrations/throttle/throttler-names.ts
+++ b/apps/server/src/integrations/throttle/throttler-names.ts
@@ -1,5 +1,6 @@
 export const AUTH_THROTTLER = 'auth';
 export const AI_CHAT_THROTTLER = 'ai-chat';
+export const PAGE_TEMPLATE_THROTTLER = 'page-template';
 // IP-keyed throttler for the anonymous public-share AI assistant. There is no
 // authenticated user on that route, so it is keyed by client IP (the default
 // ThrottlerGuard tracker) to bound anonymous abuse — the workspace owner pays