feat: implement API rate limiting and usage metering (#188)

[activatedkc]

Summary

Implements API gateway with rate limiting, usage metering, and API key management to close #188.

Changes

Smart Contract: contracts/api/

• auth.rs — API key lifecycle: create, revoke, rotate, validate (SHA-256 hash storage), list by owner, audit trail
• ratelimit.rs — Sliding-window rate limiter at minute/hour/day granularity, usage tracking and reporting, usage-based charge calculation
• SubTrackrApi contract with 9 public functions

Shared Types: contracts/types/src/lib.rs

• ApiKey, ApiKeyConfig, ApiKeyStatus, UsageTier (Free/Basic/Pro/Enterprise with preset rate limits)
• RateLimitConfig, RateLimitWindow, ApiUsageRecord, RateLimitStatus, UsageReport, ApiKeyAuditEntry
• StorageKey variants for API key storage

Frontend

• src/store/apiStore.ts — Zustand store with AsyncStorage persistence (create/revoke/rotate/delete keys)
• src/screens/ApiKeysScreen.tsx — Dedicated API key management UI with tier selector (Free/Basic/Pro/Enterprise), rate limit display per key, key actions (Copy/Rotate/Revoke/Delete)

Tests — 16 passing

• Key lifecycle: create, revoke, rotate, validate (active/revoked/expired), list, audit trail, last_used update
• Rate limiting: per-minute, per-hour, window reset, burst
• Usage metering: tracking, report, charge calculation
• Edge cases: invalid key hash, expired key, revoked key

Edge Cases

• Burst traffic: burst_limit in RateLimitConfig with sliding window
• Key compromise: instant revoke + rotate with audit trail
• Window rollover: bucket_start alignment same pattern as metering contract

[drips-wave]

@activatedkc Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits