futu_auth/limits/types.rs
1//! Split from limits.rs: types.
2//!
3//! pub items: Limits,CheckCtx,LimitReason,LimitOutcome,ValueRejectReason,market_to_currency,validate_order_value.
4
5use std::collections::HashSet;
6
7use serde::{Deserialize, Serialize};
8
9/// 限额配置(与 KeyRecord 字段平级,独立出来便于传递)
10#[derive(Debug, Clone, Default, Serialize, Deserialize)]
11pub struct Limits {
12 pub allowed_markets: Option<HashSet<String>>,
13 pub allowed_symbols: Option<HashSet<String>>,
14 pub max_order_value: Option<f64>,
15 pub max_daily_value: Option<f64>,
16 pub hours_window: Option<String>,
17 /// 每分钟下单次数上限(滑动窗口,None 表示不限)。挡 spray-and-pray
18 /// 类攻击:即使每单小于 max_order_value、日累计也够,也限制速率。
19 #[serde(default, skip_serializing_if = "Option::is_none")]
20 pub max_orders_per_minute: Option<u32>,
21 /// 允许的交易方向白名单:例如 `["SELL"]` = 只让平仓 bot 卖;
22 /// None / 空集 → 不限。大小写敏感,用 `"BUY"` / `"SELL"` / `"SELL_SHORT"` / `"BUY_BACK"`。
23 #[serde(default, skip_serializing_if = "Option::is_none")]
24 pub allowed_trd_sides: Option<HashSet<String>>,
25 /// v1.4.35 加(eli 回归报告建议 1):**per-key acc_id 白名单**
26 ///
27 /// 语义:该 key 只能对这些 acc_id 发 trade / unlock / query 操作;超出
28 /// 列表的 acc_id 直接被 auth 层拒(403)。None / 空集 → 不限(向后兼容老 key)。
29 ///
30 /// **定位**:operational safety(防 agent bug / LLM 幻觉 / key 泄露后爆炸半径)。
31 /// **不等同** financial isolation —— 后者需要多 union card(L4,见 CLAUDE.md 隔离层级)。
32 /// 对**纯现金策略**用户,L2 实质上等同财务隔离(没借钱就没传导)。
33 ///
34 /// 典型用法:
35 /// ```text
36 /// futucli gen-key --id bot-A --scopes trade:real,acc:read --allowed-acc-ids 10001,10002
37 /// futucli gen-key --id bot-B --scopes trade:real,acc:read --allowed-acc-ids 10003
38 /// ```
39 /// bot-A 只能动 10001/10002,bot-B 只能动 10003,互不影响。
40 #[serde(default, skip_serializing_if = "Option::is_none")]
41 pub allowed_acc_ids: Option<HashSet<u64>>,
42 /// v1.4.103 (B10): per-key card_num 白名单 (string format).
43 ///
44 /// daemon 启动后通过 GetAccList resolve → 合并进 `allowed_acc_ids`. 详见
45 /// [`KeyRecord::allowed_card_nums`].
46 #[serde(default, skip_serializing_if = "Option::is_none")]
47 pub allowed_card_nums: Option<Vec<String>>,
48}
49
50/// 限额检查上下文:一次下单的 market/symbol/金额/方向
51#[derive(Debug, Clone, Default)]
52pub struct CheckCtx {
53 /// "HK" / "US" / "CN" / "HKCC" 等
54 pub market: String,
55 /// "HK.00700" 格式(market + code);**空串** 表示调用方无法推导 symbol
56 /// (改单 / 撤单路径),此时 symbol 白名单检查被跳过(但 market 仍会被校验)。
57 pub symbol: String,
58 /// qty × price(本币);None 表示无法计算(如 MARKET 单),跳过金额检查
59 pub order_value: Option<f64>,
60 /// 交易方向字符串(`"BUY"` / `"SELL"` / ...);None 表示无需方向校验
61 /// (改单 / 撤单路径)
62 pub trd_side: Option<String>,
63 /// v1.4.35:被操作的账户 ID;None 表示此请求不涉及特定账户(全局请求
64 /// 如 subscribe / quote,跳过 acc_id 白名单检查)。
65 pub acc_id: Option<u64>,
66 /// v1.4.106 codex 0538 F2 (P2): typed marker — 此 mutation 不产生
67 /// 新 exposure delta(撤单 / 失效 / 生效 / 删除老单)。
68 ///
69 /// **语义**:true = 改 daemon 状态但不动 risk exposure(不跑 daily
70 /// counter, 但仍跑 acc_id / market / rate / hours 白名单)。
71 /// false = 真有 exposure delta(PlaceOrder, ModifyOrder Normal)→
72 /// 必须给 order_value 让 daily counter 累加.
73 ///
74 /// 区分 ModifyOrder 5 种 op:
75 ///
76 /// | modify_order_op | 含义 | mutation_no_exposure | order_value |
77 /// |---|---|---|---|
78 /// | 1 (Normal) | 改价 / 改量 → 新 exposure | **false** | Some(qty*price) |
79 /// | 2 (Cancel) | 撤单 → 减 exposure | true | None |
80 /// | 3 (Disable) | 失效 | true | None |
81 /// | 4 (Enable) | 生效(之前 Disable)| true | None (cap 难算) |
82 /// | 5 (Delete) | 删除老单 | true | None |
83 ///
84 /// **保守语义**:Enable 理论可重新激活老单产生 exposure, 但不知 qty/price
85 /// 上下文(仅靠 order_id),无法算 order_value → 标 mutation_no_exposure
86 /// = true(跳 daily counter);rate-window 仍计数挡 spray attack。
87 ///
88 /// **默认 false**: 所有 PlaceOrder / 已知 exposure 路径默认 false(保守)。
89 pub mutation_no_exposure: bool,
90 /// v1.4.106 codex 0538 F4 (P3): 订单币种 (`HKD` / `USD` / `CNY` / `JPY`
91 /// / `SGD` / `AUD` / `MYR` / `CAD` 等)
92 ///
93 /// **None** = legacy 单桶模式 (counter 全合并到 `_default_` key, 与 v1.4.105
94 /// 行为完全等价);
95 ///
96 /// **Some(ccy)** = per-currency 桶 (HKD / USD / ... 各自独立 daily counter,
97 /// USD 单不消耗 HKD 配额, 防 cross-currency dilution).
98 ///
99 /// `Limits::max_daily_value` cap 解释成**每个 currency 桶独立 cap**.
100 ///
101 /// 由调用方从 market 派生 (见 [`market_to_currency`]).
102 pub currency: Option<String>,
103}
104
105/// v1.4.106 codex 0538 F4 (P3): trd market → currency 推导.
106///
107/// 用于派生 [`CheckCtx::currency`]. 各市场按 base trading currency:
108///
109/// | market | currency |
110/// |---|---|
111/// | HK / HKCC | HKD |
112/// | US | USD |
113/// | CN | CNY |
114/// | JP | JPY |
115/// | SG | SGD |
116/// | AU | AUD |
117/// | MY | MYR |
118/// | CA | CAD |
119/// | 其他 (FUTURES / 未知) | None (合并到 default 桶) |
120///
121/// **注意**: HKCC (HK 沪港通) 实际多币种, 但 daily counter 视角统一 HKD —
122/// 避免双桶碎片化. 真实多币种细分 (e.g. 沪港通买卖差价是 HKD 还是 CNY)
123/// 应由 backend 业务层决定, daemon 限额引擎只挡 quota.
124#[must_use]
125pub fn market_to_currency(market: &str) -> Option<&'static str> {
126 match market {
127 "HK" | "HKCC" => Some("HKD"),
128 "US" => Some("USD"),
129 "CN" => Some("CNY"),
130 "JP" => Some("JPY"),
131 "SG" => Some("SGD"),
132 "AU" => Some("AUD"),
133 "MY" => Some("MYR"),
134 "CA" => Some("CAD"),
135 _ => None,
136 }
137}
138
139/// **v1.4.106 codex 0542 F2 [P2 SECURITY]**: 限额拒绝原因 typed enum.
140///
141/// 三层语义视图同 reject 不同消费方:
142///
143/// | 视图 | 用途 | 是否含 PII / 敏感细节 |
144/// |---|---|---|
145/// | [`Self::public_message`] | client error body (REST 403/429 JSON, gRPC Status.message) | **不含** — 只说 "rejected by <category>" |
146/// | [`Self::audit_message`] | audit log + tracing (内部 ops 用) | 含 — `daily 27000.00 > 25000.00` 等数值 |
147/// | [`Self::metric_label`] | Prometheus `reason` label (固定桶) | **不含** — 固定 8 字串集合 |
148///
149/// **设计动机** (v1.4.105 之前):
150///
151/// 老代码 `LimitOutcome::*Reject(String)` 把 `format!("daily value 27000.00 > 25000.00 (current=18000.00 + order=9000.00)")`
152/// 同字符串既给 client (HTTP body) 又给 audit log 又给 prometheus reason
153/// (走 [`crate::metrics::classify_limit_reason`] 字符串前缀分桶). 三个 leak:
154///
155/// 1. **client 看到 user 内部数值** — 攻击者撞 daily cap 时能精确推出 cap
156/// threshold 与当前累计 (cap=25000, current=18000 → 还能下 7000).
157/// 2. **prometheus reason label 字符串前缀分桶** — 任何 reason format 漂移
158/// (e.g. 加 ", retry after 60s") 落到 `other` 桶, dashboard 静默断流.
159/// 维护需 "新增 reason category 时同步改 classify_limit_reason match
160/// arm" — 易漂.
161/// 3. **audit log 与 client message 无法独立演进** — 想给 audit 加更细节
162/// 时, 等同于给 client error body 也加, surface mismatch.
163///
164/// **F2 修法**: typed enum + 3 个 method, 各自只 emit 自己 surface 需要的
165/// 信息. caller 用 `match` 编译期穷举确保不漏 surface, [`crate::metrics::
166/// classify_limit_reason`] 仍保留 (作向后兼容兜底字符串路径), 但新代码走
167/// `LimitReason::metric_label()` 拿固定桶名.
168#[derive(Debug, Clone, PartialEq)]
169#[non_exhaustive]
170pub enum LimitReason {
171 /// per-key acc_id 白名单拒 (403). `id` = 实际请求 acc_id, `allowed_count`
172 /// = 配置白名单 entry 数 (audit 用; client surface 不展示).
173 AccIdWhitelist { id: u64, allowed_count: usize },
174 /// 市场白名单拒 (403). `requested` = 请求 market (e.g. "US"),
175 /// `allowed_count` = 配置 set size.
176 MarketWhitelist {
177 requested: String,
178 allowed_count: usize,
179 },
180 /// 品种白名单拒 (403). `requested` = 请求 symbol (e.g. "HK.09988"),
181 /// 不返 allowed list (太长, 也 leak 内部允许品种).
182 SymbolWhitelist { requested: String },
183 /// 交易方向白名单拒 (403). `requested` = 请求 side ("BUY" / "SELL" /
184 /// "SELL_SHORT" / "BUY_BACK"), `allowed_count` = 配置 set size.
185 TrdSideWhitelist {
186 requested: String,
187 allowed_count: usize,
188 },
189 /// 时间窗外拒 (429 — 用户之后再试). `spec` = 配置 (e.g. "09:30-16:00"),
190 /// `now_hhmm` = 当前 local time (e.g. "08:15").
191 HoursOutsideWindow { spec: String, now_hhmm: String },
192 /// 时间窗 spec 解析失败 (429 — 配置 bug). `spec` = 原 string, `err` = 解析错.
193 HoursInvalidSpec { spec: String, err: String },
194 /// 单笔上限超 (403). `value` = 请求金额, `cap` = 配置 per-order cap.
195 PerOrderCap { value: f64, cap: f64 },
196 /// per-minute 速率超 (429). `recent` = 60s 内已下单数, `cap` = 配置 cap.
197 RateLimit { recent: u32, cap: u32 },
198 /// 日累计超 (429). `next` = 累加后 total, `cap` = 配置 daily cap, `current`
199 /// = 累加前 total, `add` = 本次金额.
200 DailyCap {
201 next: f64,
202 cap: f64,
203 current: f64,
204 add: f64,
205 },
206}
207
208impl LimitReason {
209 /// **client surface** (REST 403/429 JSON / gRPC Status.message): 只说
210 /// "rejected by <category>" + 极简 hint, **不含** cap / threshold / current
211 /// 等数值 (反 enumeration / probing).
212 #[must_use]
213 pub fn public_message(&self) -> String {
214 match self {
215 LimitReason::AccIdWhitelist { .. } => "acc_id not in allowed list".to_string(),
216 LimitReason::MarketWhitelist { .. } => "market not in allowed list".to_string(),
217 LimitReason::SymbolWhitelist { .. } => "symbol not in allowed list".to_string(),
218 LimitReason::TrdSideWhitelist { .. } => "trd_side not in allowed list".to_string(),
219 LimitReason::HoursOutsideWindow { .. } => "outside trading hours window".to_string(),
220 LimitReason::HoursInvalidSpec { .. } => {
221 "trading hours window misconfigured".to_string()
222 }
223 LimitReason::PerOrderCap { .. } => "order value exceeds per-order cap".to_string(),
224 LimitReason::RateLimit { .. } => "rate limit exceeded".to_string(),
225 LimitReason::DailyCap { .. } => "daily value cap exceeded".to_string(),
226 }
227 }
228
229 /// **audit / log surface** (内部 ops, full detail), 含数值 + threshold.
230 ///
231 /// 与 v1.4.105 之前 `Reject(String)` 字符串内容兼容 — 保留前缀 (e.g.
232 /// `"rate limit exceeded:"`) 让 [`crate::metrics::classify_limit_reason`]
233 /// 字符串桶继续命中 (向后兼容已有 dashboard).
234 #[must_use]
235 pub fn audit_message(&self) -> String {
236 match self {
237 LimitReason::AccIdWhitelist { id, allowed_count } => {
238 format!("acc_id {id} not in allowed list ({allowed_count} entries)")
239 }
240 LimitReason::MarketWhitelist {
241 requested,
242 allowed_count,
243 } => {
244 format!("market {requested:?} not in allowed list ({allowed_count} entries)")
245 }
246 LimitReason::SymbolWhitelist { requested } => {
247 format!("symbol {requested:?} not in allowed list")
248 }
249 LimitReason::TrdSideWhitelist {
250 requested,
251 allowed_count,
252 } => {
253 format!("trd_side {requested:?} not in allowed list ({allowed_count} entries)")
254 }
255 LimitReason::HoursOutsideWindow { spec, now_hhmm } => {
256 format!("outside hours window {spec} (now={now_hhmm})")
257 }
258 LimitReason::HoursInvalidSpec { spec, err } => {
259 format!("invalid hours_window {spec:?}: {err}")
260 }
261 LimitReason::PerOrderCap { value, cap } => {
262 format!("order value {value:.2} exceeds per-order cap {cap:.2}")
263 }
264 LimitReason::RateLimit { recent, cap } => {
265 format!("rate limit exceeded: {recent} orders in the last 60s (cap {cap})")
266 }
267 LimitReason::DailyCap {
268 next,
269 cap,
270 current,
271 add,
272 } => format!(
273 "daily value cap exceeded: {next:.2} > {cap:.2} (current={current:.2} + order={add:.2})"
274 ),
275 }
276 }
277
278 /// **prometheus surface**: 固定 8 字串集合, 任何漂移 (audit_message format
279 /// 改) 都不影响 dashboard. 与 [`crate::metrics::classify_limit_reason`] 字符串
280 /// 前缀分桶**保持 1-1 对应**, 但典型化为编译期穷举.
281 #[must_use]
282 pub fn metric_label(&self) -> &'static str {
283 match self {
284 LimitReason::AccIdWhitelist { .. } => "acc_id",
285 LimitReason::MarketWhitelist { .. } => "market",
286 LimitReason::SymbolWhitelist { .. } => "symbol",
287 LimitReason::TrdSideWhitelist { .. } => "side",
288 LimitReason::HoursOutsideWindow { .. } | LimitReason::HoursInvalidSpec { .. } => {
289 "hours"
290 }
291 LimitReason::PerOrderCap { .. } => "per_order",
292 LimitReason::RateLimit { .. } => "rate",
293 LimitReason::DailyCap { .. } => "daily",
294 }
295 }
296
297 /// HTTP status code: 429 (rate-like, retry) vs 403 (whitelist/value, don't retry).
298 #[must_use]
299 pub fn http_status_code(&self) -> u16 {
300 match self {
301 // throughput-like (rate / hours / daily) → 429
302 LimitReason::HoursOutsideWindow { .. }
303 | LimitReason::HoursInvalidSpec { .. }
304 | LimitReason::RateLimit { .. }
305 | LimitReason::DailyCap { .. } => 429,
306 // whitelist / value → 403
307 LimitReason::AccIdWhitelist { .. }
308 | LimitReason::MarketWhitelist { .. }
309 | LimitReason::SymbolWhitelist { .. }
310 | LimitReason::TrdSideWhitelist { .. }
311 | LimitReason::PerOrderCap { .. } => 403,
312 }
313 }
314}
315
316/// 限额检查结果
317///
318/// v1.4.36 Bug #1 扩展:拒绝类型区分 `Throughput` vs `Whitelist` vs `Value`,
319/// 让 REST / gRPC middleware 能把不同类型映射到正确的 HTTP status:
320///
321/// - **Throughput**(速率 / 日累计 / 时间窗)→ HTTP 429 Too Many Requests
322/// 客户端按 rate-limit 语义 backoff 重试即可
323/// - **Whitelist**(market / symbol / trd_side / acc_id 不在白名单)→ HTTP 403 Forbidden
324/// 客户端**不该重试**,是权限问题,需要改 key / 改请求参数
325/// - **Value**(单笔上限超 / NaN / inf / 负数)→ HTTP 403 Forbidden
326/// 同 Whitelist,不该重试;需要拆单或换 key
327///
328/// **v1.4.106 codex 0542 F2 [P2 SECURITY]**: `*Reject(String)` variants 现承载
329/// `audit_message()` (内部 full-detail). client surface 应通过新 [`LimitReason`]
330/// 字段拿 `public_message()` (terse, no cap leak). 见 [`Self::reason_typed`].
331///
332/// 老代码用 `Reject(String)`,保留作向后兼容 —— 但新检查应返对应 `*Reject` 类型。
333///
334/// v1.4.106 codex 0538 F1 (P1 SECURITY): `ValueReject` 内部带结构化原因,
335/// 让 fail-closed validation (NaN / inf / negative) 与 normal cap-exceeded
336/// 区分;display 消息仍 backward-compat 字符串格式。
337#[derive(Debug, Clone, PartialEq)]
338#[non_exhaustive]
339pub enum LimitOutcome {
340 Allow,
341 /// 速率 / 日累计 / 时间窗类拒绝(429 语义:客户端应 backoff 重试).
342 /// String = `LimitReason::audit_message()`.
343 ThroughputReject(String),
344 /// 白名单类拒绝(403 语义:权限问题,不该重试).
345 /// String = `LimitReason::audit_message()`.
346 WhitelistReject(String),
347 /// 金额上限拒绝(403 语义:不该重试;拆单或换 key).
348 /// String = `LimitReason::audit_message()`.
349 ValueReject(String),
350 /// **v1.4.106 codex 0542 F2**: typed reject — 推荐新代码用此 variant,
351 /// caller 通过 `LimitReason::public_message()` / `audit_message()` /
352 /// `metric_label()` 各自取所需视图. 与三个老 String variant 共存
353 /// (新代码 emit `Typed`, 老代码 emit `*Reject(String)` 仍工作).
354 Typed(LimitReason),
355}
356
357/// 金额拒绝的结构化原因(v1.4.106 codex 0538 F1 P1 SECURITY)
358///
359/// 区分 fail-closed validation (NaN / inf / negative) 与 normal cap exceed,
360/// 便于 caller 决定是否 audit-log(fail-closed → 高优先级 audit)。display
361/// 消息仍是 backward-compat 字符串。
362///
363/// **NaN / inf / negative 全归 fail-closed**:金融场景不允许这些值流过
364/// 限额引擎 —— LLM agent / proto fuzz / unsanitized REST body 任一来源传
365/// `f64::NAN` 都会让 `value > cap + EPSILON` 静默 false(NaN compare 总返
366/// false),bypass per-order cap 与 daily counter;负数则把 daily counter
367/// **倒减**让后续大单通过。三类全 fail-closed 拒。
368#[derive(Debug, Clone, PartialEq, Eq)]
369#[non_exhaustive]
370pub enum ValueRejectReason {
371 /// 单笔超过 max_order_value cap
372 OverPerOrderCap,
373 /// 日累计超过 max_daily_value cap
374 OverDailyCap,
375 /// order_value 为 NaN(fail-closed)
376 NotANumber,
377 /// order_value 为 +inf / -inf(fail-closed)
378 Infinite,
379 /// order_value 为负数(fail-closed —— 负数会倒减 daily counter)
380 Negative,
381}
382
383impl ValueRejectReason {
384 /// 是否为 fail-closed validation 拒绝(NaN / inf / negative)—— 高优先级 audit
385 #[must_use]
386 pub fn is_fail_closed(&self) -> bool {
387 matches!(self, Self::NotANumber | Self::Infinite | Self::Negative)
388 }
389}
390
391/// 校验 order_value 数值合法性(v1.4.106 codex 0538 F1 P1 SECURITY)
392///
393/// 防御 NaN / inf / negative 三类异常输入。所有走 limit 引擎的 order_value
394/// **必须**先过这层,否则:
395///
396/// - **NaN**:`x > cap + EPSILON` 总 false → bypass 单笔 cap;
397/// daily counter `total + NaN = NaN` → 后续 compare 全 false → 永远 allow.
398/// - **+inf / -inf**:算术 saturate → daily counter inf → 任何后续 add 仍 inf
399/// → reject 但 lose precision;负 inf 让 daily 立即变 -inf → 永远 allow.
400/// - **negative**:daily total + (-100) = total - 100 → daily counter 倒退
401/// → 让后续大单通过 cap.
402///
403/// 三类全 fail-closed (`Err(ValueRejectReason::*)`)。
404pub fn validate_order_value(v: f64) -> Result<f64, ValueRejectReason> {
405 if v.is_nan() {
406 return Err(ValueRejectReason::NotANumber);
407 }
408 if v.is_infinite() {
409 return Err(ValueRejectReason::Infinite);
410 }
411 if v < 0.0 {
412 return Err(ValueRejectReason::Negative);
413 }
414 Ok(v)
415}
416
417impl LimitOutcome {
418 /// 是否拒绝(`!is_allow` 等价于"拒绝")
419 #[must_use]
420 pub fn is_allow(&self) -> bool {
421 matches!(self, LimitOutcome::Allow)
422 }
423
424 /// 拒绝时的 reason 字符串(Allow 返 None).
425 ///
426 /// **v1.4.106 codex 0542 F2 调整**: 现返 `Option<String>` (老
427 /// `Option<&str>` 兼容性 break, 但所有内部 caller 用 `format!("{reason}")`
428 /// 不受影响). 走 [`Self::public_message`] 取 client surface 安全形式.
429 pub fn reason(&self) -> Option<String> {
430 match self {
431 LimitOutcome::Allow => None,
432 LimitOutcome::ThroughputReject(s)
433 | LimitOutcome::WhitelistReject(s)
434 | LimitOutcome::ValueReject(s) => Some(s.clone()),
435 LimitOutcome::Typed(r) => Some(r.audit_message()),
436 }
437 }
438
439 /// **v1.4.106 codex 0542 F2**: typed reason (若 `Typed(r)` variant), 否则 None.
440 #[must_use]
441 pub fn reason_typed(&self) -> Option<&LimitReason> {
442 match self {
443 LimitOutcome::Typed(r) => Some(r),
444 _ => None,
445 }
446 }
447
448 /// **v1.4.106 codex 0542 F2**: client-surface terse message.
449 pub fn public_message(&self) -> Option<String> {
450 match self {
451 LimitOutcome::Allow => None,
452 LimitOutcome::ThroughputReject(s)
453 | LimitOutcome::WhitelistReject(s)
454 | LimitOutcome::ValueReject(s) => Some(s.clone()),
455 LimitOutcome::Typed(r) => Some(r.public_message()),
456 }
457 }
458
459 /// **v1.4.106 codex 0542 F2**: prometheus metric_label (8 固定桶) 若 typed.
460 #[must_use]
461 pub fn metric_label(&self) -> Option<&'static str> {
462 match self {
463 LimitOutcome::Typed(r) => Some(r.metric_label()),
464 _ => None,
465 }
466 }
467
468 /// 适合此拒绝类型的 HTTP 状态码(REST / gRPC middleware 用)
469 ///
470 /// - `Allow` → 200
471 /// - `Throughput` / typed throughput → 429
472 /// - `Whitelist` / `Value` / typed whitelist/value → 403
473 #[must_use]
474 pub fn http_status_code(&self) -> u16 {
475 match self {
476 LimitOutcome::Allow => 200,
477 LimitOutcome::ThroughputReject(_) => 429,
478 LimitOutcome::WhitelistReject(_) | LimitOutcome::ValueReject(_) => 403,
479 LimitOutcome::Typed(r) => r.http_status_code(),
480 }
481 }
482}