feat: ACN Application Security Standard V7.30 compliance (19/23 items)

CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/middleware/rate-limit.ts

@@ -0,0 +1,71 @@
+/**
+ * Simple in-memory rate limiter (Map-based).
+ * Good enough for single-instance deployments.
+ * For multi-instance, swap to Redis-backed implementation.
+ */
+
+interface RateLimitEntry {
+  count: number;
+  resetAt: number;
+}
+
+interface RateLimitResult {
+  allowed: boolean;
+  remaining: number;
+  resetAt: Date;
+}
+
+/**
+ * Creates a sliding-window rate limiter.
+ * @param windowMs  - Time window in milliseconds
+ * @param maxRequests - Maximum requests allowed within the window
+ */
+export function createRateLimiter(windowMs: number, maxRequests: number) {
+  const store = new Map<string, RateLimitEntry>();
+
+  // Periodically clean up expired entries to prevent memory leaks
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of store) {
+      if (entry.resetAt <= now) {
+        store.delete(key);
+      }
+    }
+  }, windowMs);
+
+  // Allow garbage collection if the process holds no other references
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+
+  return function check(key: string): RateLimitResult {
+    const now = Date.now();
+    const existing = store.get(key);
+
+    // Window expired or first request — start fresh
+    if (!existing || existing.resetAt <= now) {
+      const resetAt = now + windowMs;
+      store.set(key, { count: 1, resetAt });
+      return {
+        allowed: true,
+        remaining: maxRequests - 1,
+        resetAt: new Date(resetAt),
+      };
+    }
+
+    // Within the current window
+    existing.count += 1;
+    const allowed = existing.count <= maxRequests;
+    return {
+      allowed,
+      remaining: Math.max(0, maxRequests - existing.count),
+      resetAt: new Date(existing.resetAt),
+    };
+  };
+}
+
+/** General API rate limiter: 100 requests per 15 minutes per key */
+export const apiRateLimiter = createRateLimiter(15 * 60 * 1000, 100);
+
+/** Auth rate limiter: 5 attempts per 15 minutes per key */
+export const authRateLimiter = createRateLimiter(15 * 60 * 1000, 5);