Release v0.1.11: Rate Limiting, 6AM Sync Schedule, Sync Now Button

12 February 2026

What changed

• Rate limiting across all API routes — A new sliding window rate limiter with 10 tiers (from 3 req/5min for sync to 100 req/min for webhooks) is now enforced at the middleware level. Returns standard 429 responses with Retry-After headers. Supports ISO 27001 A.14.1.2 compliance.
• Sync schedule moved to 6:00 AM UTC — The daily OFSI sanctions sync now runs at 6 AM UTC (7 AM BST) instead of 2 AM, aligning with the start of the UK business day.
• Sync Now button improvements — The dashboard OFSI sync button now calls the correct nightly endpoint, displays re-screening results (people re-screened, new matches found), and shows the last sync timestamp with a status badge.
• Better error handling — Rate limit responses in the UI show a user-friendly message with the retry wait time. The GitHub Actions sync workflow now logs HTTP responses and warns on failures.

Why it matters

Rate limiting protects the platform from abuse and is a requirement for ISO 27001 certification. The updated sync schedule and improved Sync Now button give users clearer visibility into when their data was last checked and what changed.

Technical notes

• New file: src/lib/rate-limit.ts — in-memory store with automatic cleanup every 60s
• Rate limiting runs in middleware before authentication, so unauthenticated abuse is blocked early
• Health/readiness endpoints are excluded from rate limiting