#522 [API/Race] Rate limiter TOCTOU - incorrect quota enforcement

**File:** api/middleware/rate_limiter.py:22-47 **Problem:** `check_quota()` and `get_tenant_stats()` happen in separate operations. Between check and stats, quota may change, causing response headers to show incorrect remaining tokens. **Fix:** Ensure both operations in same transaction: ```python with db.get_db_connection() as conn: with conn.cursor() as cur: quota_available = rate_limiter.check_quota(conn, tenant_id) if quota_available: stats = rate_limiter.get_tenant_stats(conn, tenant_id) conn.commit() ``` **Impact:** Incorrect rate limit headers, potential quota bypass.