fix: rate limiter now supports semantic search burst limits + better cleanup

src/lib/rate-limit.ts

@@ -16,21 +16,33 @@ const RATE_LIMITS = {
     },
 }
 
+// Prefix-specific overrides (for specialized endpoints)
+const PREFIX_LIMITS: Record<string, { max: number; window: number }> = {
+    'search-semantic': { max: 10, window: 3600 },       // 10 semantic searches/hr
+    'search-semantic-burst': { max: 3, window: 60 },    // 3 per minute burst
+    'search': { max: 60, window: 3600 },                // 60 regular searches/hr
+    'prompts': { max: 30, window: 3600 },               // 30 prompt creations/hr
+}
+
 // In-memory fallback when Redis is unavailable
 const memoryCounters = new Map<string, { count: number; resetAt: number }>()
+let lastCleanup = Date.now()
 
 function checkMemoryLimit(key: string, max: number, window: number): { count: number; allowed: boolean } {
     const now = Date.now()
+    
+    // Periodic cleanup (every 5 minutes or when map is large)
+    if (now - lastCleanup > 300_000 || memoryCounters.size > 5000) {
+        for (const [k, v] of memoryCounters.entries()) {
+            if (v.resetAt <= now) memoryCounters.delete(k)
+        }
+        lastCleanup = now
+    }
+
     const entry = memoryCounters.get(key)
 
     if (!entry || entry.resetAt <= now) {
         memoryCounters.set(key, { count: 1, resetAt: now + window * 1000 })
-        // Clean up old entries periodically
-        if (memoryCounters.size > 10000) {
-            for (const [k, v] of memoryCounters.entries()) {
-                if (v.resetAt <= now) memoryCounters.delete(k)
-            }
-        }
         return { count: 1, allowed: true }
     }
 
@@ -47,22 +59,33 @@ interface RateLimitResult {
 }
 
 /**
- * Check rate limit for a given identifier (IP or user ID).
- * Uses Redis with an in-memory fallback — NEVER fails open.
+ * Check rate limit for a given identifier.
+ * Supports prefix-based overrides for specialized endpoints.
  */
 export async function checkRateLimit(
     identifier: string,
     isAuthenticated: boolean = false,
     isPro: boolean = false,
 ): Promise<RateLimitResult> {
-    const config = isPro ? RATE_LIMITS.pro : isAuthenticated ? RATE_LIMITS.user : RATE_LIMITS.guest
+    // Check if there's a prefix-specific limit
+    let config = isPro ? RATE_LIMITS.pro : isAuthenticated ? RATE_LIMITS.user : RATE_LIMITS.guest
+
+    // Extract prefix (e.g., "search-semantic:user:abc123" → "search-semantic")
+    const colonIndex = identifier.indexOf(':')
+    if (colonIndex > 0) {
+        const prefix = identifier.substring(0, colonIndex)
+        if (PREFIX_LIMITS[prefix]) {
+            config = PREFIX_LIMITS[prefix]
+        }
+    }
+
     const key = `ratelimit:${identifier}`
 
     // Try Redis first
     const currentCount = await redisIncr(key)
 
     if (currentCount === null) {
-        // Redis unavailable — use in-memory fallback (NEVER fail open)
+        // Redis unavailable — use in-memory fallback
         const { count, allowed } = checkMemoryLimit(key, config.max, config.window)
         const resetAt = Date.now() + config.window * 1000
 
@@ -72,7 +95,7 @@ export async function checkRateLimit(
                 limit: config.max,
                 remaining: 0,
                 reset: resetAt,
-                error: `Rate limit exceeded. Redis unavailable, using in-memory limit. Try again in ${config.window} seconds.`,
+                error: `Rate limit exceeded. Try again in ${config.window} seconds.`,
             }
         }
 
@@ -123,7 +146,6 @@ export function getClientIdentifier(request: Request, userId?: string): string {
         return `user:${userId}`
     }
 
-    // Get IP from various headers (for proxies/load balancers)
     const cfConnectingIp = request.headers.get('cf-connecting-ip')
     const forwarded = request.headers.get('x-forwarded-for')
     const realIp = request.headers.get('x-real-ip')