Add explicit rate limits and total connection limit

- Make RateLimit explicit in relay builder (500 subs, 60 events/min)
- Add NGIT_MAX_CONNECTIONS config option (default: 500)
- Update all 4 config locations (src, nix, docs, .env.example)
- Fix documentation error: filter limit 5000→500
- Document Phase 2 deferral decision (per-IP enforcement)

Addresses primary DoS vector (connection exhaustion) with minimal code.
Per-IP rate limiting deferred until abuse detected in production.

Related: issue ff38 (git endpoint throttling - separate concern)

1 files changed, 7 insertions, 0 deletions

diff --git a/nix/module.nix b/nix/module.nix
index 09c56c1..4117b6d 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -250,6 +250,12 @@ let
         '';
       };
 
+      maxConnections = mkOption {
+        type = types.int;
+        default = 500;
+        description = "Maximum total connections to the relay";
+      };
+
       user = mkOption {
         type = types.str;
         default = "ngit-grasp-${name}";
@@ -295,6 +301,7 @@ let
       NGIT_REPOSITORY_WHITELIST = concatStringsSep "," cfg.repositoryWhitelist;
       NGIT_REPOSITORY_BLACKLIST = concatStringsSep "," cfg.repositoryBlacklist;
       NGIT_EVENT_BLACKLIST = concatStringsSep "," cfg.eventBlacklist;
+      NGIT_MAX_CONNECTIONS = toString cfg.maxConnections;
       RUST_LOG = cfg.logLevel;
     } // optionalAttrs (cfg.relayName != null) {
       NGIT_RELAY_NAME = cfg.relayName;