feat: per-key daily rate limits with whitelist tier

[wms2537]

Summary

Adds enforced per-key daily rate limits across all paid endpoints (chat, REST tools, MCP), with a 3-tier system (free / pro / unlimited) configurable per-key from the admin dashboard. Counters reset at UTC midnight.

Closes the gap where the README claimed "100 calls/day" but no code enforced it.

Tiers

Tier	Chat / day	Tool / day	Worst-case spend per key
free (default)	30	100	~$1.50
pro	300	1000	~$15
unlimited	10000	10000	uncapped-ish

Numbers tuned against openai/gpt-oss-120b pricing. Tiers live in code (apps/web/src/lib/rateLimit.ts) so they can be tuned without a migration; the schema only stores the tier name.

Storage

KV counters at rl:{subject}:{category}:{YYYY-MM-DD} with 48h TTL. Subject is key:{keyId} for API-key auth and user:{userId} for session auth (playground). Admin Bearer auth bypasses entirely.

KV is eventually consistent across regions — small overshoot under bursty traffic is acceptable for a per-day quota.

Enforcement points

• POST /api/v1/chat/completions — 429 returns OpenAI-shape {error:{type:"rate_limit_exceeded"}}
• All 18 POST /api/v1/tools/* routes — 429 returns {error, type, limit, used, resetSeconds, tier}
• POST /mcp tools/call — 429 returns JSON-RPC error code -32002

Every response (200 and 429) carries X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Tier. 429s additionally carry Retry-After: <seconds>.

What's new

• Migration apps/web/migrations/0005_rate_limits.sql — ALTER TABLE api_keys ADD COLUMN rate_limit_tier TEXT NOT NULL DEFAULT 'free'
• Library apps/web/src/lib/rateLimit.ts — enforceRateLimit(), checkToolRateLimit(), subjectFor(), tier table
• Auth validateRequest.ts returns rateLimitTier for API-key auth; MCP validateApiKey() likewise
• Admin API apps/web/src/app/api/admin/rate-limits/route.ts — GET (list keys + 24h call counts), PATCH (bump tier). Gated by X-Admin-Secret
• Admin UI /dashboard/admin adds a "Rate Limits" tab with a searchable/tier-filterable table and per-key dropdown. Reuses the existing AUTH_SECRET flow
• User UI /dashboard/keys shows a tier badge on each key (read-only)
• Docs docs/api/chat-completions.md rate-limits section, README.md, CLAUDE.md

Deployment status

• Migration 0005_rate_limits.sql already applied to remote D1 arbbuilder
• Worker deployed (version 20f85e74-ea76-4e91-98ef-0ecea741b079)
• Verified live with a real arb_ key:
  • Chat 200 → X-RateLimit-Limit: 30, Remaining: 29, Tier: free
  • Tool 200 → X-RateLimit-Limit: 100, Remaining: 99, Tier: free

Test plan

• cd apps/web && npm test → 20/20 pass
• npx tsc --noEmit clean
• Hit chat endpoint with valid key → 200, headers present, counter increments per call
• Hit any /api/v1/tools/* → 200, headers present, counter increments
• Bump a key to pro from /dashboard/admin (Rate Limits tab) → next call shows X-RateLimit-Limit: 300
• Confirm /dashboard/keys shows a tier badge

🤖 Generated with Claude Code