One question, doesn't GRASP open up the server to potential DoS via resource exhaustion if an attacker publishes fake commits which the server will then have to verify before being able to reject it? I'm not sure if rate limiting or temporary ban etc for IP addresses will be enough to prevent this