========================================
[Sun Feb  8 23:10:17 AEDT 2026] CC VPS triggered by Rivet
========================================

Task:
Fix bug: No rate limiting on /api/messages/* endpoints. All 4 message endpoints (list, start, get, send) lack rate limiting — spam vector. Check how other rate-limited endpoints implement this and apply the same pattern to all message endpoints.
----------------------------------------

## ✅ Fixed Rate Limiting on Message Endpoints

Added IP-based rate limiting to all 4 message endpoints to prevent spam attacks:

**Rate Limits Applied:**
- **GET /api/messages** (list conversations): 100 requests/15min
- **POST /api/messages/start** (create conversation): 20 requests/15min  
- **GET /api/messages/[id]** (get messages): 200 requests/15min
- **POST /api/messages/[id]/send** (send message): 60 requests/15min

All endpoints now use the existing `rate-limit.ts` pattern with `checkRateLimit()` and return proper 429 responses with retry-after headers when limits are exceeded. Each endpoint has a unique identifier (`messages-list:`, `messages-start:`, `messages-get:`, `messages-send:`) to track limits separately.

Build successful, app restarted, changes committed and pushed to main.
