6695909db2
express-rate-limit v8 raises ERR_ERL_KEY_GEN_IPV6 at boot because the custom keyGenerator returned req.ip verbatim. For IPv6, that lets an attacker rotate through the host bits of their own subnet (~2^72 keys on a typical /56 residential allocation) and escape per-IP rate limiting entirely — useful as a brute-force protection it isn't, then. Wrap req.ip through the library's ipKeyGenerator helper before keying, which truncates IPv6 addresses to their /56 prefix and is a no-op for IPv4. Test coverage for IPv4 / session / SKIP_PATHS unchanged; new case asserts two addresses in the same /56 share a bucket and that distinct /56s remain isolated. Surfaced by the ADR-0030 dockerised dev mode validation. The BFF kept booting (v8's default error handler logs and continues for this validation), so the bypass was live in dev until now.