Skip to content

RFC-026: Human Feedback Signal — 9. Rate Limiting and Abuse Prevention

AIGP SpecificationRFC-026: Human Feedback Signal › 9. Rate Limiting and Abuse Prevention

← 8. Privacy & Consent · Section index · 10. Feedback Aggregation for Dashboards →

9. Rate Limiting and Abuse Prevention

9.1 Per-User Throttling

The governance server SHALL enforce rate limits on the FEEDBACK endpoint to prevent abuse:

Limit Default Configurable
Max feedback per pseudonym_id per hour 20 Yes
Max feedback per pseudonym_id per request_id 1 No (one rating per invocation)
Max comment length 500 characters Yes
Minimum interval between feedback submissions 2 seconds Yes

9.2 Deduplication

If a FEEDBACK message arrives for a request_id that already has feedback from the same pseudonym_id, the server SHALL:

  • Overwrite the existing rating (users change their mind)
  • Append comment text (enrichment, not replacement)
  • Retain the original timestamp as first_feedback_at and record last_updated_at

9.3 Abuse Detection

The governance server SHOULD flag anomalous feedback patterns:

Pattern Signal Action
>90% thumbs_down from single pseudonym in 24h Possible adversarial Flag for review, do not include in aggregates
Identical comment text across >5 submissions Spam Reject with 429
Feedback on request_ids that don’t exist Probing Reject with 404, log

← 8. Privacy & Consent · Section index · 10. Feedback Aggregation for Dashboards →