diff --git a/docs/cwe-top25-2025-mapping.md b/docs/cwe-top25-2025-mapping.md
new file mode 100644
index 0000000..8afa611
--- /dev/null
+++ b/docs/cwe-top25-2025-mapping.md
@@ -0,0 +1,113 @@
+# CWE Top 25 (2025) Mapping to Project CodeGuard Rules
+
+This document maps the [2025 MITRE CWE Top 25 Most Dangerous Software Weaknesses](https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html) to existing Project CodeGuard rules. It identifies which CWEs are covered, which rules address them, and where gaps exist that require new rules.
+
+The CWE Top 25 is published annually by MITRE based on real-world CVE and exploitation data. This mapping helps assess CodeGuard's coverage against the most prevalent vulnerability classes and prioritize new rule development.
+
+## Coverage Summary
+
+- **Fully covered**: 16 of 25 CWEs have direct, explicit rule coverage
+- **Partially covered**: 8 of 25 CWEs are addressed by related rules but lack dedicated or complete guidance
+- **Gap identified**: 1 CWE (CWE-770) has no existing rule coverage
+
+## Mapping Table
+
+Each row maps a CWE from the 2025 Top 25 to the CodeGuard rules that address it. The "Coverage" column uses:
+
+- **Full** - The CWE is directly and explicitly addressed by one or more rules
+- **Partial** - The CWE is addressed indirectly or only for specific languages
+- **Gap** - No existing rule covers this CWE
+
+### Core Rules
+
+| Rank | CWE ID | CWE Name | CodeGuard Core Rule(s) | Coverage | Notes |
+|------|--------|----------|----------------------|----------|-------|
+| 1 | CWE-79 | Cross-site Scripting (XSS) | `codeguard-0-client-side-web-security` | Full | Covers context-aware XSS prevention (HTML, attribute, JS, URL, CSS contexts), DOM-based XSS, dangerous sinks, and CSP deployment |
+| 2 | CWE-89 | SQL Injection | `codeguard-0-input-validation-injection` | Full | Covers prepared statements, parameterized queries, bind variables, stored procedure safety, and ORM-level protections |
+| 3 | CWE-352 | Cross-Site Request Forgery (CSRF) | `codeguard-0-client-side-web-security` | Full | Covers synchronizer tokens, SameSite cookies, origin/referer validation, and framework-specific CSRF protections |
+| 4 | CWE-862 | Missing Authorization | `codeguard-0-authorization-access-control` | Full | Covers deny-by-default, per-request authorization checks, RBAC/ABAC/ReBAC, and centralized authorization middleware |
+| 5 | CWE-787 | Out-of-bounds Write | `codeguard-0-safe-c-functions` | Partial | Addresses buffer overflows through safe function replacements (`snprintf`, `strncpy`, bounds checking). C/C++ only; no coverage for memory-unsafe patterns in other languages |
+| 6 | CWE-22 | Path Traversal | `codeguard-0-file-handling-and-uploads` | Full | Covers path canonicalization, directory traversal prevention, sandboxed storage, and server-generated filenames |
+| 7 | CWE-416 | Use After Free | `codeguard-0-safe-c-functions` | Partial | Addresses memory safety practices for C/C++. Does not cover use-after-free patterns in languages with manual memory management beyond C/C++ |
+| 8 | CWE-125 | Out-of-bounds Read | `codeguard-0-safe-c-functions` | Partial | Covered through bounds-checked function alternatives and buffer size validation. C/C++ only |
+| 9 | CWE-78 | OS Command Injection | `codeguard-0-input-validation-injection` | Full | Covers OS command injection defense with parameterized APIs, input sanitization, and avoidance of shell invocation |
+| 10 | CWE-94 | Code Injection | `codeguard-0-input-validation-injection` | Partial | Addresses injection broadly but does not provide standalone guidance for `eval()`/`exec()`, template injection, or dynamic code generation patterns |
+| 11 | CWE-120 | Classic Buffer Overflow | `codeguard-0-safe-c-functions` | Partial | Covers safe alternatives to `strcpy`, `sprintf`, `gets`, and other unbounded copy functions. New to Top 25 in 2025 |
+| 12 | CWE-434 | Unrestricted Upload of File with Dangerous Type | `codeguard-0-file-handling-and-uploads` | Full | Covers extension validation, content-type verification, magic number checks, storage isolation, and malware scanning |
+| 13 | CWE-476 | NULL Pointer Dereference | `codeguard-0-safe-c-functions` | Partial | Implicit in C/C++ safe coding practices. No explicit guidance for null safety patterns in Java, Go, Kotlin, or Rust |
+| 14 | CWE-121 | Stack-based Buffer Overflow | `codeguard-0-safe-c-functions` | Partial | Covered through safe function alternatives and stack protection guidance. New to Top 25 in 2025 |
+| 15 | CWE-502 | Deserialization of Untrusted Data | `codeguard-0-xml-and-serialization` | Full | Covers unsafe native deserialization, type-safe alternatives, allowlisting, and platform-specific hardening (Java, Python, PHP, Ruby) |
+| 16 | CWE-122 | Heap-based Buffer Overflow | `codeguard-0-safe-c-functions` | Partial | Addressed through dynamic allocation safety and bounds checking. New to Top 25 in 2025 |
+| 17 | CWE-863 | Incorrect Authorization | `codeguard-0-authorization-access-control` | Full | Covers IDOR prevention, mass assignment protection, resource-level permission validation, and least-privilege enforcement |
+| 18 | CWE-20 | Improper Input Validation | `codeguard-0-input-validation-injection` | Full | Covers syntactic and semantic validation, allowlists, canonicalization, Unicode normalization, and ReDoS prevention |
+| 19 | CWE-284 | Improper Access Control | `codeguard-0-authorization-access-control` | Full | Covered through centralized authorization, middleware enforcement, and per-request access checks. New to Top 25 in 2025 |
+| 20 | CWE-200 | Exposure of Sensitive Information | `codeguard-0-privacy-data-protection`, `codeguard-1-hardcoded-credentials` | Full | Covers data minimization, encryption at rest/transit, credential protection, and error message sanitization |
+| 21 | CWE-306 | Missing Authentication for Critical Function | `codeguard-0-authentication-mfa` | Full | Covers authentication requirements, MFA enforcement, OAuth/OIDC flows, and session binding |
+| 22 | CWE-918 | Server-Side Request Forgery (SSRF) | `codeguard-0-api-web-services` | Full | Covers SSRF controls including URL allowlists, protocol restrictions, and internal network access prevention |
+| 23 | CWE-77 | Command Injection | `codeguard-0-input-validation-injection` | Full | Addressed alongside OS command injection (CWE-78) with parameterized command APIs and shell avoidance |
+| 24 | CWE-639 | Authorization Bypass via User-Controlled Key | `codeguard-0-authorization-access-control` | Full | Directly addressed through IDOR prevention guidance: user-scoped queries, server-side lookups, non-enumerable identifiers. New to Top 25 in 2025 |
+| 25 | CWE-770 | Allocation of Resources Without Limits or Throttling | None | **Gap** | No existing rule covers rate limiting, resource quotas, memory bounds, connection pool limits, or DoS prevention through resource management. New to Top 25 in 2025 |
+
+### OWASP Supplementary Rules
+
+Several OWASP rules provide additional depth for CWEs already covered by core rules:
+
+| CWE ID | OWASP Rule(s) | Additional Coverage |
+|--------|--------------|-------------------|
+| CWE-79 | `codeguard-0-cross-site-scripting-prevention`, `codeguard-0-dom-based-xss-prevention`, `codeguard-0-xss-filter-evasion`, `codeguard-0-content-security-policy` | Framework-specific XSS guidance, CSP deployment details, filter evasion patterns |
+| CWE-89 | `codeguard-0-sql-injection-prevention`, `codeguard-0-query-parameterization` | Database-specific parameterization, ORM safety patterns |
+| CWE-352 | `codeguard-0-cross-site-request-forgery-prevention` | Framework-specific CSRF token implementation |
+| CWE-862/863 | `codeguard-0-authorization`, `codeguard-0-authorization-testing-automation` | Authorization testing automation, policy verification |
+| CWE-22 | `codeguard-0-input-validation` | Broader input validation including path components |
+| CWE-78/77 | `codeguard-0-os-command-injection-defense`, `codeguard-0-injection-prevention` | Dedicated command injection cheat sheet content |
+| CWE-434 | `codeguard-0-file-upload` | Extended file upload validation patterns |
+| CWE-502 | `codeguard-0-deserialization` | Language-specific deserialization hardening |
+| CWE-120/121/122 | `codeguard-0-cw-memory-string-usage-guidelines`, `codeguard-0-c-based-toolchain-hardening` | Compiler flags, ASLR, stack canaries, toolchain hardening |
+| CWE-918 | `codeguard-0-server-side-request-forgery-prevention` | Dedicated SSRF prevention patterns |
+| CWE-639 | `codeguard-0-insecure-direct-object-reference-prevention` | IDOR-specific testing and prevention patterns |
+| CWE-200 | `codeguard-0-error-handling` | Secure error handling to prevent information disclosure |
+
+## Gap Analysis
+
+### CWE-770: Allocation of Resources Without Limits or Throttling (Gap)
+
+This CWE is new to the 2025 Top 25 and has no coverage in any existing CodeGuard rule. It covers:
+
+- Rate limiting for API endpoints and authentication attempts
+- Memory allocation bounds and maximum payload sizes
+- Connection pool limits and timeout enforcement
+- Thread/process pool sizing and queue depth limits
+- File descriptor and disk space quotas
+- Recursive computation depth limits
+- Denial-of-service prevention through resource management
+
+**Recommendation**: Create a new core rule `codeguard-0-resource-limits-dos-prevention.md` to address this gap.
+
+### Partial Coverage Areas
+
+The following CWEs have partial coverage that could be strengthened:
+
+**CWE-94 (Code Injection)**: The existing injection rule treats code injection as part of a broader injection category. Standalone guidance for `eval()`/`exec()` avoidance, template injection (Jinja2, Twig, ERB, Handlebars), and dynamic code generation would improve coverage.
+
+**CWE-476 (NULL Pointer Dereference)**: Current coverage is limited to C/C++ through safe function alternatives. Explicit guidance for null safety patterns in Java (Optional), Kotlin (null safety), Go (nil checks), Rust (Option/Result), and TypeScript (strict null checks) would expand coverage across the language ecosystem.
+
+**Memory Safety CWEs (CWE-120, 121, 122, 125, 416, 787)**: All six memory safety CWEs in the Top 25 are handled by `codeguard-0-safe-c-functions.md`, which is specific to C/C++. For languages with manual or semi-manual memory management, additional guidance may be warranted. The OWASP `codeguard-0-c-based-toolchain-hardening` rule provides compiler-level mitigations but is also C/C++ specific.
+
+## 2025 Top 25 Changes
+
+Six CWEs are new to the 2025 list compared to 2024:
+
+| CWE ID | CWE Name | CodeGuard Status |
+|--------|----------|-----------------|
+| CWE-120 | Classic Buffer Overflow | Partial (via safe-c-functions) |
+| CWE-121 | Stack-based Buffer Overflow | Partial (via safe-c-functions) |
+| CWE-122 | Heap-based Buffer Overflow | Partial (via safe-c-functions) |
+| CWE-284 | Improper Access Control | Full (via authorization-access-control) |
+| CWE-639 | Authorization Bypass via User-Controlled Key | Full (via authorization-access-control) |
+| CWE-770 | Allocation of Resources Without Limits | **Gap** |
+
+## References
+
+- [2025 CWE Top 25 Most Dangerous Software Weaknesses](https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html)
+- [CWE Top 25 Methodology](https://cwe.mitre.org/top25/archive/2025/2025_methodology.html)
+- [Project CodeGuard Core Rules](https://github.com/cosai-oasis/project-codeguard/tree/main/sources/core)
diff --git a/skills/software-security/SKILL.md b/skills/software-security/SKILL.md
index 1dc321f..f3c2a7e 100644
--- a/skills/software-security/SKILL.md
+++ b/skills/software-security/SKILL.md
@@ -30,29 +30,29 @@ When writing or reviewing code:
 | Language | Rule Files to Apply |
 |----------|---------------------|
 | apex | codeguard-0-input-validation-injection.md |
-| c | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-data-storage.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-safe-c-functions.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| c | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-data-storage.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-safe-c-functions.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | cpp | codeguard-0-safe-c-functions.md |
 | d | codeguard-0-iac-security.md |
 | docker | codeguard-0-devops-ci-cd-containers.md, codeguard-0-supply-chain-security.md |
-| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | html | codeguard-0-client-side-web-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
-| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
-| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
+| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
 | kotlin | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md |
 | matlab | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md |
 | perl | codeguard-0-mobile-apps.md |
 | php | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | powershell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
-| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
-| ruby | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
-| rust | codeguard-0-mcp-security.md |
+| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| ruby | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| rust | codeguard-0-mcp-security.md, codeguard-0-resource-limits-dos-prevention.md |
 | shell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
 | sql | codeguard-0-data-storage.md, codeguard-0-input-validation-injection.md |
 | swift | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md |
-| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md |
+| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-session-management-and-cookies.md |
 | vlang | codeguard-0-client-side-web-security.md |
 | xml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md, codeguard-0-xml-and-serialization.md |
-| yaml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authorization-access-control.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-logging.md, codeguard-0-privacy-data-protection.md, codeguard-0-supply-chain-security.md |
+| yaml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authorization-access-control.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-logging.md, codeguard-0-privacy-data-protection.md, codeguard-0-resource-limits-dos-prevention.md, codeguard-0-supply-chain-security.md |
 
 
 3. Proactive Security: Don't just avoid vulnerabilities-actively implement secure patterns:
diff --git a/skills/software-security/rules/codeguard-0-resource-limits-dos-prevention.md b/skills/software-security/rules/codeguard-0-resource-limits-dos-prevention.md
new file mode 100644
index 0000000..453ec1b
--- /dev/null
+++ b/skills/software-security/rules/codeguard-0-resource-limits-dos-prevention.md
@@ -0,0 +1,113 @@
+---
+description: Resource allocation limits and denial-of-service prevention (rate limiting, quotas, memory bounds, connection management)
+languages:
+- c
+- go
+- java
+- javascript
+- python
+- ruby
+- rust
+- typescript
+- yaml
+alwaysApply: false
+---
+
+rule_id: codeguard-0-resource-limits-dos-prevention
+
+## Resource Limits & Denial-of-Service Prevention
+
+Bound every resource that external input can influence. Unbounded allocation is the root cause of most denial-of-service conditions in application code.
+
+### Rate Limiting
+
+- Apply rate limits to all public-facing endpoints. Use token bucket or sliding window algorithms.
+- Enforce stricter limits on authentication endpoints (login, password reset, MFA verification) to prevent credential brute-forcing.
+- Rate limit by multiple dimensions: source IP, authenticated user, API key, and endpoint.
+- Return HTTP 429 with a `Retry-After` header when limits are exceeded. Do not disclose internal rate limit configuration in response bodies.
+- For distributed systems, use a shared rate limit store (Redis, Memcached) to prevent per-instance bypass.
+
+### Request Size and Payload Limits
+
+- Set maximum request body sizes at the web server, reverse proxy, and application layers.
+- Limit individual field lengths, array sizes, and object nesting depth in parsed input (JSON, XML, multipart).
+- Reject requests that exceed limits early, before allocating buffers or performing parsing.
+- For file uploads, enforce maximum file size and total upload size per request.
+- For streaming endpoints, enforce maximum stream duration and total bytes transferred.
+
+### Memory and Buffer Management
+
+- Pre-allocate fixed-size buffers where possible. Avoid unbounded dynamic allocation driven by user input.
+- Cap in-memory collection sizes (lists, maps, queues) when populated from external data.
+- Set JVM heap limits (`-Xmx`), container memory limits (`memory` in Docker/K8s), and language-runtime memory caps.
+- Monitor memory usage and trigger graceful degradation (rejecting new requests, shedding load) before OOM conditions.
+
+### Connection and Concurrency Limits
+
+- Configure maximum concurrent connections at the load balancer, reverse proxy, and application server.
+- Set connection timeouts (connect, read, write, idle) at every layer. Drop idle connections aggressively.
+- Limit connection pool sizes for databases, caches, and external service clients. Configure pool exhaustion behavior (fail-fast vs. bounded wait).
+- Use thread pool or worker pool sizing with hard upper bounds. Queue excess work with bounded queue depths and reject overflow.
+
+### Compute and Recursion Limits
+
+- Set maximum execution time for request handlers. Kill or abort requests that exceed the deadline.
+- Limit recursion depth for any recursive processing of user-supplied data (JSON parsing, XML entity expansion, graph traversal).
+- For regular expression processing, use engines that guarantee linear-time matching or enforce match timeout limits to prevent ReDoS.
+- Limit iteration counts for loops driven by external input.
+
+### Disk and Storage Quotas
+
+- Enforce per-user and per-tenant storage quotas for file uploads, generated artifacts, and log output.
+- Set maximum log file sizes with rotation policies. Prevent log flooding from filling disk.
+- Use temporary directories with size limits for intermediate processing. Clean up temp files on request completion or timeout.
+
+### Database and Query Limits
+
+- Set query execution timeouts at the database connection level.
+- Limit result set sizes with `LIMIT` clauses or pagination. Never return unbounded result sets.
+- Cap the number of concurrent queries per user or tenant.
+- For search endpoints, limit query complexity (number of terms, wildcard usage, join depth).
+
+### Queue and Background Job Limits
+
+- Set maximum queue depth for message queues and job queues. Reject or dead-letter messages when queues are full.
+- Limit the number of concurrent background jobs per user or tenant.
+- Enforce maximum job execution time with hard kill after deadline.
+- Implement backpressure mechanisms to slow producers when consumers fall behind.
+
+### Network and External Call Limits
+
+- Set timeouts on all outbound HTTP calls, DNS lookups, and external service requests.
+- Use circuit breakers to stop calling failing downstream services. Configure failure thresholds and recovery windows.
+- Limit the number of concurrent outbound connections per downstream dependency.
+- Cap retry attempts with exponential backoff and jitter. Never retry indefinitely.
+
+### Kubernetes and Container Specific
+
+- Set CPU and memory `requests` and `limits` on all containers.
+- Configure Horizontal Pod Autoscaler (HPA) with maximum replica counts.
+- Use `LimitRange` and `ResourceQuota` objects to enforce per-namespace resource ceilings.
+- Set `terminationGracePeriodSeconds` to bound shutdown time.
+
+### Implementation Checklist
+
+- Rate limits applied to all public endpoints, with stricter limits on auth endpoints
+- Maximum request body size configured at server and application layers
+- Connection pool sizes bounded for all external dependencies (database, cache, APIs)
+- Request handler timeouts configured
+- Container memory and CPU limits set
+- Queue depths bounded with overflow handling
+- Outbound call timeouts and circuit breakers configured
+- Pagination enforced on all list/search endpoints
+- Disk quotas and log rotation configured
+- Recursion and iteration depth limits set for user-input-driven processing
+
+### Test Plan
+
+- Load test endpoints to verify rate limits trigger correctly
+- Send oversized payloads and confirm rejection before full parsing
+- Exhaust connection pools and verify fail-fast or bounded-wait behavior
+- Trigger compute-intensive operations and verify timeout enforcement
+- Fill queues to capacity and verify overflow rejection or dead-lettering
+- Verify container resource limits are enforced by orchestrator
diff --git a/sources/core/codeguard-0-resource-limits-dos-prevention.md b/sources/core/codeguard-0-resource-limits-dos-prevention.md
new file mode 100644
index 0000000..4d6190c
--- /dev/null
+++ b/sources/core/codeguard-0-resource-limits-dos-prevention.md
@@ -0,0 +1,114 @@
+---
+description: Resource allocation limits and denial-of-service prevention (rate limiting, quotas, memory bounds, connection management)
+languages:
+- c
+- go
+- java
+- javascript
+- python
+- ruby
+- rust
+- typescript
+- yaml
+tags:
+- web
+- infrastructure
+alwaysApply: false
+---
+
+## Resource Limits & Denial-of-Service Prevention
+
+Bound every resource that external input can influence. Unbounded allocation is the root cause of most denial-of-service conditions in application code.
+
+### Rate Limiting
+
+- Apply rate limits to all public-facing endpoints. Use token bucket or sliding window algorithms.
+- Enforce stricter limits on authentication endpoints (login, password reset, MFA verification) to prevent credential brute-forcing.
+- Rate limit by multiple dimensions: source IP, authenticated user, API key, and endpoint.
+- Return HTTP 429 with a `Retry-After` header when limits are exceeded. Do not disclose internal rate limit configuration in response bodies.
+- For distributed systems, use a shared rate limit store (Redis, Memcached) to prevent per-instance bypass.
+
+### Request Size and Payload Limits
+
+- Set maximum request body sizes at the web server, reverse proxy, and application layers.
+- Limit individual field lengths, array sizes, and object nesting depth in parsed input (JSON, XML, multipart).
+- Reject requests that exceed limits early, before allocating buffers or performing parsing.
+- For file uploads, enforce maximum file size and total upload size per request.
+- For streaming endpoints, enforce maximum stream duration and total bytes transferred.
+
+### Memory and Buffer Management
+
+- Pre-allocate fixed-size buffers where possible. Avoid unbounded dynamic allocation driven by user input.
+- Cap in-memory collection sizes (lists, maps, queues) when populated from external data.
+- Set JVM heap limits (`-Xmx`), container memory limits (`memory` in Docker/K8s), and language-runtime memory caps.
+- Monitor memory usage and trigger graceful degradation (rejecting new requests, shedding load) before OOM conditions.
+
+### Connection and Concurrency Limits
+
+- Configure maximum concurrent connections at the load balancer, reverse proxy, and application server.
+- Set connection timeouts (connect, read, write, idle) at every layer. Drop idle connections aggressively.
+- Limit connection pool sizes for databases, caches, and external service clients. Configure pool exhaustion behavior (fail-fast vs. bounded wait).
+- Use thread pool or worker pool sizing with hard upper bounds. Queue excess work with bounded queue depths and reject overflow.
+
+### Compute and Recursion Limits
+
+- Set maximum execution time for request handlers. Kill or abort requests that exceed the deadline.
+- Limit recursion depth for any recursive processing of user-supplied data (JSON parsing, XML entity expansion, graph traversal).
+- For regular expression processing, use engines that guarantee linear-time matching or enforce match timeout limits to prevent ReDoS.
+- Limit iteration counts for loops driven by external input.
+
+### Disk and Storage Quotas
+
+- Enforce per-user and per-tenant storage quotas for file uploads, generated artifacts, and log output.
+- Set maximum log file sizes with rotation policies. Prevent log flooding from filling disk.
+- Use temporary directories with size limits for intermediate processing. Clean up temp files on request completion or timeout.
+
+### Database and Query Limits
+
+- Set query execution timeouts at the database connection level.
+- Limit result set sizes with `LIMIT` clauses or pagination. Never return unbounded result sets.
+- Cap the number of concurrent queries per user or tenant.
+- For search endpoints, limit query complexity (number of terms, wildcard usage, join depth).
+
+### Queue and Background Job Limits
+
+- Set maximum queue depth for message queues and job queues. Reject or dead-letter messages when queues are full.
+- Limit the number of concurrent background jobs per user or tenant.
+- Enforce maximum job execution time with hard kill after deadline.
+- Implement backpressure mechanisms to slow producers when consumers fall behind.
+
+### Network and External Call Limits
+
+- Set timeouts on all outbound HTTP calls, DNS lookups, and external service requests.
+- Use circuit breakers to stop calling failing downstream services. Configure failure thresholds and recovery windows.
+- Limit the number of concurrent outbound connections per downstream dependency.
+- Cap retry attempts with exponential backoff and jitter. Never retry indefinitely.
+
+### Kubernetes and Container Specific
+
+- Set CPU and memory `requests` and `limits` on all containers.
+- Configure Horizontal Pod Autoscaler (HPA) with maximum replica counts.
+- Use `LimitRange` and `ResourceQuota` objects to enforce per-namespace resource ceilings.
+- Set `terminationGracePeriodSeconds` to bound shutdown time.
+
+### Implementation Checklist
+
+- Rate limits applied to all public endpoints, with stricter limits on auth endpoints
+- Maximum request body size configured at server and application layers
+- Connection pool sizes bounded for all external dependencies (database, cache, APIs)
+- Request handler timeouts configured
+- Container memory and CPU limits set
+- Queue depths bounded with overflow handling
+- Outbound call timeouts and circuit breakers configured
+- Pagination enforced on all list/search endpoints
+- Disk quotas and log rotation configured
+- Recursion and iteration depth limits set for user-input-driven processing
+
+### Test Plan
+
+- Load test endpoints to verify rate limits trigger correctly
+- Send oversized payloads and confirm rejection before full parsing
+- Exhaust connection pools and verify fail-fast or bounded-wait behavior
+- Trigger compute-intensive operations and verify timeout enforcement
+- Fill queues to capacity and verify overflow rejection or dead-lettering
+- Verify container resource limits are enforced by orchestrator