fix(api): remove root endpoint from IP rate limiting

The / health/info endpoint was included in IP-based rate limiting
(10 req/min), causing 429s in cloud deployments where ALB health
checks, kubelet probes, and frontend status polls all hit this
endpoint. Discovery endpoints (/.well-known/*) remain rate-limited.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,6 +1,6 @@
 {
   "major": 1,
   "minor": 2,
-  "patch": 5,
+  "patch": 6,
   "prerelease": ""
 }

api/rate_limit_middleware.go

@@ -87,16 +87,11 @@ func RateLimitMiddleware(server *Server) gin.HandlerFunc {
 	}
 }
 
-// isPublicEndpoint checks if the path is a public discovery endpoint
+// isPublicEndpoint checks if the path is a public discovery endpoint.
+// Note: "/" (health/info) is intentionally excluded — it is hit by ALB health
+// checks, kubelet probes, and frontend status polls, so IP-based rate limiting
+// on it causes spurious 429s in cloud deployments.
 func isPublicEndpoint(path string) bool {
-	// Exact matches for specific public paths
-	exactMatches := []string{
-		"/",
-	}
-	if slices.Contains(exactMatches, path) {
-		return true
-	}
-
 	// Prefix matches for public path prefixes
 	prefixes := []string{
 		"/.well-known/",

api/rate_limit_middleware_test.go

@@ -47,24 +47,15 @@ func TestRateLimitMiddleware(t *testing.T) {
 
 		router := gin.New()
 		router.Use(RateLimitMiddleware(server))
-		router.GET("/", func(c *gin.Context) {
-			c.JSON(http.StatusOK, gin.H{"status": "ok"})
-		})
 		router.GET("/.well-known/openid-configuration", func(c *gin.Context) {
 			c.JSON(http.StatusOK, gin.H{"status": "ok"})
 		})
 
-		// Test root endpoint
-		req := httptest.NewRequest("GET", "/", nil)
+		// Test .well-known endpoint (public, should skip API rate limiting)
+		req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 		w := httptest.NewRecorder()
 		router.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
-
-		// Test .well-known endpoint
-		req = httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
-		w = httptest.NewRecorder()
-		router.ServeHTTP(w, req)
-		assert.Equal(t, http.StatusOK, w.Code)
 	})
 
 	t.Run("skips rate limiting for auth flow endpoints", func(t *testing.T) {
@@ -321,20 +312,20 @@ func TestIPRateLimitMiddleware(t *testing.T) {
 
 		router := gin.New()
 		router.Use(IPRateLimitMiddleware(server))
-		router.GET("/", func(c *gin.Context) {
+		router.GET("/.well-known/openid-configuration", func(c *gin.Context) {
 			c.JSON(http.StatusOK, gin.H{"status": "ok"})
 		})
 
 		// Make 10 requests to exhaust the limit
 		for i := range 10 {
-			req := httptest.NewRequest("GET", "/", nil)
+			req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 			w := httptest.NewRecorder()
 			router.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code, "Request %d should be allowed", i+1)
 		}
 
 		// 11th request should be blocked
-		req := httptest.NewRequest("GET", "/", nil)
+		req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 		w := httptest.NewRecorder()
 		router.ServeHTTP(w, req)
 
@@ -353,12 +344,12 @@ func TestIPRateLimitMiddleware(t *testing.T) {
 
 		router := gin.New()
 		router.Use(IPRateLimitMiddleware(server))
-		router.GET("/", func(c *gin.Context) {
+		router.GET("/.well-known/openid-configuration", func(c *gin.Context) {
 			c.JSON(http.StatusOK, gin.H{"status": "ok"})
 		})
 
 		// Request with X-Forwarded-For
-		req := httptest.NewRequest("GET", "/", nil)
+		req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 		req.Header.Set("X-Forwarded-For", "203.0.113.195, 70.41.3.18, 150.172.238.178")
 		w := httptest.NewRecorder()
 		router.ServeHTTP(w, req)
@@ -488,7 +479,7 @@ func TestIsPublicEndpoint(t *testing.T) {
 		path     string
 		expected bool
 	}{
-		{"/", true},
+		{"/", false}, // health/info endpoint excluded from IP rate limiting
 		{"/.well-known/openid-configuration", true},
 		{"/.well-known/jwks.json", true},
 		{"/api/test", false},

api/version.go

@@ -46,7 +46,7 @@ var (
 	// Minor version number
 	VersionMinor = "2"
 	// Patch version number
-	VersionPatch = "5"
+	VersionPatch = "6"
 	// VersionPreRelease is the pre-release label (e.g., "rc.0", "beta.1"), empty for stable releases
 	VersionPreRelease = ""
 	// GitCommit is the git commit hash from build