VolvoxLLC
diff --git a/‎config.json‎
Lines changed: 18 additions & 7 deletions b/‎config.json‎
Lines changed: 18 additions & 7 deletions
diff --git a/‎src/api/middleware/rateLimit.js‎
Lines changed: 12 additions & 2 deletions b/‎src/api/middleware/rateLimit.js‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎src/api/routes/auth.js‎
Lines changed: 10 additions & 1 deletion b/‎src/api/routes/auth.js‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/api/utils/configAllowlist.js‎
Lines changed: 1 addition & 0 deletions b/‎src/api/utils/configAllowlist.js‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/config-listeners.js‎
Lines changed: 17 additions & 0 deletions b/‎src/config-listeners.js‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎src/index.js‎
Lines changed: 5 additions & 1 deletion b/‎src/index.js‎
Lines changed: 5 additions & 1 deletion
@@ -282,18 +282,29 @@
         "enabled": false,
         "maxPerUser": 25
     },
+    "botStatus": {
+        "enabled": true,
+        "status": "online",
+        "activityType": "Playing",
+        "activities": [
+            "with {memberCount} members",
+            "in {guildCount} servers",
+            "your assistant | Volvox"
+        ],
+        "rotateIntervalMs": 30000
+    },
     "quietMode": {
         "enabled": false,
         "allowedRoles": [
             "moderator"
         ],
         "defaultDurationMinutes": 30,
         "maxDurationMinutes": 1440
-  },
-  "voice": {
-    "enabled": false,
-    "xpPerMinute": 2,
-    "dailyXpCap": 120,
-    "logChannel": null
-  }
+    },
+    "voice": {
+        "enabled": false,
+        "xpPerMinute": 2,
+        "dailyXpCap": 120,
+        "logChannel": null
+    }
 }
@@ -3,17 +3,27 @@
  * Simple in-memory per-IP rate limiter with no external dependencies
  */
 
+const DEFAULT_MESSAGE = 'Too many requests, please try again later';
+
 /**
  * Creates rate-limiting middleware that tracks requests per IP address.
  * Returns 429 JSON error when the limit is exceeded.
  *
  * @param {Object} [options] - Rate limiter configuration
  * @param {number} [options.windowMs=900000] - Time window in milliseconds (default: 15 minutes)
  * @param {number} [options.max=100] - Maximum requests per window per IP (default: 100)
+ * @param {string} [options.message] - Custom error message for 429 responses
  * @returns {import('express').RequestHandler & { destroy: () => void }} Express middleware with a destroy method to clear the cleanup timer
  */
-export function rateLimit({ windowMs = 15 * 60 * 1000, max = 100 } = {}) {
+export function rateLimit({
+  windowMs = 15 * 60 * 1000,
+  max = 100,
+  message = DEFAULT_MESSAGE,
+} = {}) {
+  const errorMessage = typeof message === 'string' && message.trim() ? message : DEFAULT_MESSAGE;
+
   /** @type {Map<string, { count: number, resetAt: number }>} */
+
   const clients = new Map();
 
   // Periodically clean up expired entries to prevent memory leaks
@@ -49,7 +59,7 @@ export function rateLimit({ windowMs = 15 * 60 * 1000, max = 100 } = {}) {
     if (entry.count > max) {
       const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
       res.set('Retry-After', String(retryAfter));
-      return res.status(429).json({ error: 'Too many requests, please try again later' });
+      return res.status(429).json({ error: errorMessage });
     }
 
     next();
 
@@ -108,6 +108,13 @@ export function stopAuthCleanup() {
 /** Rate limiter for OAuth initiation — 10 requests per 15 minutes per IP */
 const oauthRateLimit = rateLimit({ windowMs: 15 * 60 * 1000, max: 10 });
 
+/** Rate limiter for OAuth callback — 10 attempts per minute per IP (prevents code brute-force and Discord rate-limit exhaustion) */
+const callbackRateLimit = rateLimit({
+  windowMs: 60 * 1000,
+  max: 10,
+  message: 'Too many authentication attempts',
+});
+
 /**
  * @openapi
  * /auth/discord:
@@ -208,6 +215,8 @@ router.get('/discord', oauthRateLimit, (_req, res) => {
  *           application/json:
  *             schema:
  *               $ref: "#/components/schemas/Error"
+ *       "429":
+ *         $ref: "#/components/responses/RateLimited"
  *       "500":
  *         $ref: "#/components/responses/ServerError"
  *       "502":
@@ -217,7 +226,7 @@ router.get('/discord', oauthRateLimit, (_req, res) => {
  *             schema:
  *               $ref: "#/components/schemas/Error"
  */
-router.get('/discord/callback', async (req, res) => {
+router.get('/discord/callback', callbackRateLimit, async (req, res) => {
   cleanExpiredStates();
 
   const { code, state } = req.query;
 
@@ -28,6 +28,7 @@ export const SAFE_CONFIG_KEYS = new Set([
   'review',
   'auditLog',
   'reminders',
+  'botStatus',
   'quietMode',
 ]);
 
 
@@ -9,6 +9,7 @@
  */
 
 import { addPostgresTransport, error, info, removePostgresTransport } from './logger.js';
+import { reloadBotStatus } from './modules/botStatus.js';
 import { onConfigChange } from './modules/config.js';
 import { fireEvent } from './modules/webhookNotifier.js';
 import { cacheDelPattern } from './utils/cache.js';
@@ -104,6 +105,22 @@ export function registerConfigListeners({ dbPool, config }) {
       await cacheDelPattern(`discord:guild:${guildId}:*`).catch(() => {});
     }
   });
+  // ── Bot status / presence hot-reload ───────────────────────────────
+  for (const key of [
+    'botStatus',
+    'botStatus.enabled',
+    'botStatus.status',
+    'botStatus.activityType',
+    'botStatus.activities',
+    'botStatus.rotateIntervalMs',
+  ]) {
+    onConfigChange(key, (_newValue, _oldValue, _path, guildId) => {
+      // Bot presence is global — ignore per-guild overrides here
+      if (guildId && guildId !== 'global') return;
+      reloadBotStatus();
+    });
+  }
+
   onConfigChange('reputation.*', async (_newValue, _oldValue, _path, guildId) => {
     if (guildId && guildId !== 'global') {
       await cacheDelPattern(`leaderboard:${guildId}*`).catch(() => {});
 
@@ -43,6 +43,7 @@ import {
   startConversationCleanup,
   stopConversationCleanup,
 } from './modules/ai.js';
+import { startBotStatus, stopBotStatus } from './modules/botStatus.js';
 import { getConfig, loadConfig } from './modules/config.js';
 import { registerEventHandlers } from './modules/events.js';
 import { startGithubFeed, stopGithubFeed } from './modules/githubFeed.js';
@@ -54,7 +55,6 @@ import { startScheduler, stopScheduler } from './modules/scheduler.js';
 import { startTriage, stopTriage } from './modules/triage.js';
 import { startVoiceFlush, stopVoiceFlush } from './modules/voice.js';
 import { fireEventAllGuilds } from './modules/webhookNotifier.js';
-import { closeRedisClient as closeRedis, initRedis } from './redis.js';
 import { pruneOldLogs } from './transports/postgres.js';
 import { stopCacheCleanup } from './utils/cache.js';
 import {
@@ -318,6 +318,7 @@ async function gracefulShutdown(signal) {
   stopScheduler();
   stopGithubFeed();
   perfMonitor.stop();
+  stopBotStatus();
   stopVoiceFlush();
 
   // 1.5. Stop API server (drain in-flight HTTP requests before closing DB)
@@ -532,6 +533,9 @@ async function startup() {
   await loadCommands();
   await client.login(token);
 
+  // Start bot status/activity rotation (runs after login so client.user is available)
+  startBotStatus(client);
+
   // Set Sentry context now that we know the bot identity (no-op if disabled)
   import('./sentry.js')
     .then(({ Sentry, sentryEnabled }) => {