Generalises the per-key rate limiter already shipped in src/lib/api/rest.ts to every public ingress, not just the v1 REST endpoints. Per-IP limits on unauthenticated public surfaces (feedback submission, comments, vote, signup, login, password reset, public hub reads), per-user limits on authenticated mutations, per-project burst caps so a single noisy project cannot drown the platform, and per-org daily envelopes so a misbehaving customer cannot spike infrastructure.

Implementation: a small ratelimit table keyed on (scope, identifier, window_start) backed by a Postgres advisory-lock token bucket, plus an in-memory layer for hot endpoints. Fail-closed on Supabase outage; fail-open only when the limiter itself is unhealthy. Brute-force throttling on /login and /auth/* with exponential backoff per IP and per email. Captcha challenge (hCaptcha or Turnstile) auto-injected on suspicious traffic patterns - not on every request. Strict body size limits per endpoint (e.g. post body 20kb, ticket body 200kb, attachments via the upload card only). Slow-loris timeouts. Standard 429 responses with x-ratelimit-* headers and Retry-After.

Surfaces a /admin/abuse internal dashboard (Hollahoop staff only, gated by is_hollahoop_admin) showing recent 429s, top noisy IPs, and a manual block list. Audit log integration: every block/unblock recorded. Out of scope: WAF/CDN-level DDOS (handled by the deployment edge if used), full bot detection ML - this card is the deterministic safety net.