🟡 HIGH: In-Memory Rate Limiter in `packages/api/src/middleware/security.middleware.ts` is Not Production-Ready

A critical security middleware in the codebase uses a fundamentally flawed, in-memory rate limiter that is unfit for any production deployment. The limiter, defined in `packages/api/src/middleware/security.middleware.ts`, relies on a simple JavaScript `Map` object to track request counts, creating multiple severe vulnerabilities. This design fails to account for basic operational realities, leaving the API exposed to trivial bypass and potential resource exhaustion attacks.

The implementation stores rate limit data in a volatile, in-memory `Map` with no persistence or automatic cleanup. This means each server instance maintains its own independent counter, allowing attackers to bypass limits by distributing requests across multiple backend servers. Furthermore, the `Map` entries never expire, leading to unbounded memory growth over time. The limiter also trusts the user-provided `x-forwarded-for` header without validation, enabling IP spoofing where an attacker can simply set the header to any value to reset their count or evade detection entirely.

In a scaled deployment, the absence of any distributed coordination mechanism is a critical flaw. Attackers can trivially circumvent rate limits by sending requests to different application instances, as there is no shared state. This architecture fails to provide the basic security guarantees expected of a rate limiter, exposing the service to denial-of-wallet, brute force, and scraping attacks with minimal effort from a malicious actor. The code as written signals a significant oversight in security design that must be addressed before deployment.