[Backend] Implement rate limiting for Database Pooler

[DeFiVC]

Closes #758

Changes

• Add sliding window rate limiter for database queries
• Global limit: 100 queries per 60s (configurable)
• Per-merchant limit: 50 queries per 60s (configurable)
• HTTP 429 response with clear error message when exceeded

Implementation

• backend/src/lib/db-pooler-optimized.js — QueryRateLimiter class with checkLimit() and recordQuery()
• backend/src/lib/db-pooler-optimized.test.js — Tests for global/merchant limits, window reset, stats

Test Output

All tests pass for rate limiting, window reset after expiry, merchant scoping, and error handling.

Security Notes

• Prevents single-merchant DoS with global limit
• Prevents noisy-neighbor with per-merchant limits
• Time-based sliding window prevents burst abuse
• Prometheus metrics: db_pooler_rate_limit_exceeded_total

Configuration

DB_POOLER_RATE_LIMIT_WINDOW_MS=60000
DB_POOLER_RATE_LIMIT_MAX_QUERIES=100
DB_POOLER_RATE_LIMIT_MAX_MERCHANT_QUERIES=50

[vercel]

Someone is attempting to deploy a commit to the Emmanuel's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@DeFiVC Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits