feat: IP-based rate limiting for free tier

- rate_limits SQLite table with daily counters
- check_rate_limit() / increment_rate_limit() helpers
- 20 requests/day per IP for free mode, unlimited for BYOK
- auto-cleanup of expired entries

Fixes #177

Author: he-yufeng

backend/services/cache.py

@@ -27,6 +27,23 @@ async def init_db():
             created_at REAL NOT NULL
         )
     """)
+    # projects table: persist project metadata + file contents across restarts
+    await _db.execute("""
+        CREATE TABLE IF NOT EXISTS projects (
+            id TEXT PRIMARY KEY,
+            data TEXT NOT NULL,
+            created_at REAL NOT NULL
+        )
+    """)
+    # rate limiting: daily LLM call count per IP
+    await _db.execute("""
+        CREATE TABLE IF NOT EXISTS rate_limits (
+            ip TEXT NOT NULL,
+            date TEXT NOT NULL,
+            count INTEGER NOT NULL DEFAULT 0,
+            PRIMARY KEY (ip, date)
+        )
+    """)
     await _db.commit()
 
 
@@ -60,3 +77,68 @@ async def put(key: str, value: dict | list):
         (key, data, time.time()),
     )
     await _db.commit()
+
+
+async def save_project(project_id: str, data: dict):
+    """Persist project data (metadata + file contents) to SQLite."""
+    if _db is None:
+        return
+    payload = json.dumps(data, ensure_ascii=False)
+    await _db.execute(
+        "INSERT OR REPLACE INTO projects (id, data, created_at) VALUES (?, ?, ?)",
+        (project_id, payload, time.time()),
+    )
+    await _db.commit()
+
+
+_DAILY_LIMIT = 20
+
+
+async def check_rate_limit(ip: str) -> tuple[bool, int]:
+    """Check if IP is within daily free limit.
+
+    Returns (allowed, remaining).
+    """
+    if _db is None:
+        return True, _DAILY_LIMIT
+
+    today = time.strftime("%Y-%m-%d")
+    async with _db.execute(
+        "SELECT count FROM rate_limits WHERE ip = ? AND date = ?", (ip, today)
+    ) as cursor:
+        row = await cursor.fetchone()
+
+    current = row[0] if row else 0
+    remaining = max(0, _DAILY_LIMIT - current)
+    return current < _DAILY_LIMIT, remaining
+
+
+async def increment_rate_limit(ip: str):
+    """Bump the daily usage counter for an IP."""
+    if _db is None:
+        return
+    today = time.strftime("%Y-%m-%d")
+    await _db.execute(
+        """INSERT INTO rate_limits (ip, date, count) VALUES (?, ?, 1)
+           ON CONFLICT (ip, date) DO UPDATE SET count = count + 1""",
+        (ip, today),
+    )
+    await _db.commit()
+
+
+async def load_project(project_id: str) -> dict | None:
+    """Load project data from SQLite. Returns None if not found or expired."""
+    if _db is None:
+        return None
+    async with _db.execute(
+        "SELECT data, created_at FROM projects WHERE id = ?", (project_id,)
+    ) as cursor:
+        row = await cursor.fetchone()
+    if row is None:
+        return None
+    data, created_at = row
+    if time.time() - created_at > _TTL_SECONDS:
+        await _db.execute("DELETE FROM projects WHERE id = ?", (project_id,))
+        await _db.commit()
+        return None
+    return json.loads(data)