Add rate limiting middleware for metrics APIs

[saurabhhhcodes]

Summary

• add middleware for all /api/metrics/* routes with per-user/per-IP rate limiting
• authenticated users are limited to 60 metrics requests per minute by githubId
• unauthenticated callers are limited to 10 metrics requests per minute by IP
• add X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After headers
• use Upstash Redis REST when UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are configured, with an in-memory fallback for local/dev resilience
• log rate-limit hits with the identifier, route path, and limit

Fixes #235

Validation

• ./node_modules/.bin/tsc --noEmit ✅
• ./node_modules/.bin/eslint src/middleware.ts ✅
• git diff --check ✅

Note

I attempted ./node_modules/.bin/next build, but this local macOS workspace is blocked before compilation by an existing native SWC code-signature loading failure for @next/swc-darwin-arm64. The code path added in this PR type-checks and lints locally, and GitHub Actions should validate it on Linux.

GSSoC labels requested

Please add gssoc:approved, level:advanced, quality:clean, type:security, and type:performance if accepted.

[vercel]

Someone is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[saurabhhhcodes]

CI/security checks are green from my side on the new rate-limiting PR. When this is reviewed, could you please add the GSSoC scoring labels if accepted?

Suggested labels: gssoc:approved, level:advanced, quality:clean, type:security, and type:performance.