You are building a per-client rate limiter for a service that must cap how many requests each client may make in a given span of time. The limiter is created with a maximum number of requests, the limit, and the length of the time window in milliseconds. Requests arrive over time, each carrying the client key it came from and the logical timestamp at which it reached the limiter. Successive requests never go backward in time: each timestamp is greater than or equal to the previous one.

Implement a class RateLimiter with a constructor RateLimiter(limit, windowMs) and a method allow(key, nowMs). allow is called once per arriving request and returns true if the request is permitted and false if it is rejected. Each client key is limited independently: a key may have up to the limit's worth of permitted requests standing within any trailing window of windowMs milliseconds, and as that key's earlier requests age out of the window it is allowed through again. A permitted request counts toward its key's budget; a rejected one does not.

Specify the limiter's behavior completely. The sliding window per key is the obvious part. Think harder about the key itself: it is the identifier a real client arrives under, and real clients do not always send it in a single canonical form. Decide exactly when two incoming keys should be treated as the same client and counted against the same budget, and when they are genuinely different clients, then write that rule as something a deterministic test could check. A limiter that compares keys exactly as received will let the same client slip past its limit by changing how the key is written.