fix: add per-IP rate limiting to prevent GitHub quota exhaustion

[taniy8]

Description

Fixes #5955

Problem

app/api/compare/route.ts had zero rate limiting, the single most
expensive endpoint in the codebase. It calls getFullDashboardData TWICE
in parallel (once per compared user):

const [result1, result2] = await Promise.allSettled([
  getFullDashboardData(user1, { token: userToken }),
  getFullDashboardData(user2, { token: userToken }),
]);

Since getFullDashboardData itself fires 7 parallel GitHub API requests,
a single call to /api/compare costs 14 GitHub API calls total with no
RateLimiter and no per-IP check anywhere in the file.

Although /api/compare appears in the proxy.ts middleware matcher list,
that middleware is non-functional due to a separate naming bug (tracked
in a different issue), so no protection is applied at any layer in practice.

Fix

Added per-IP rate limiting (5 requests/minute - the lowest of any route
fixed so far, given the 14x GitHub API cost per request) at the top of
the GET handler, consistent with the pattern used in /api/og, /api/notify,
/api/user-details, /api/ci-analytics, and /api/achievements.

Note

The existing test file fails to load with a pre-existing next-auth
module resolution error, unrelated to this change (route.ts imports
getUserGitHubToken which pulls in the broken auth chain). Verified the
fix via lint and manual code review.

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@taniy8 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

🚨 Hey @taniy8, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[Aamod-Dev]

Labels Applied:

• Difficulty: level:intermediate
• Quality: quality:clean
• Type: type:feature

Justification:
Adds per-IP rate limiting (5 req/min) to /api/compare route using RateLimiter and getClientIp() (14 additions in route.ts). Prevents GitHub quota exhaustion from compare endpoint abuse.

Status: Blocked
This PR is currently blocked (status:blocked label). It cannot be approved regardless of code quality until CI checks pass and the blocked status is removed. Please resolve the failing checks and request re-review.

[Aamod-Dev]

Review

This PR cannot be approved in its current state due to blocking issues (status:blocked label, merge conflicts, needs-rebase label, and/or failing CI checks). Please resolve the blocking issues and re-request review.

Once unblocked, I'm happy to re-review! 💚

[Aamod-Dev]

Adding a rate limiter to /api/compare is a critical fix, considering the 14x API multiplier effect. However, this PR is currently marked as blocked (likely due to the next-auth module resolution error mentioned in the description). Please resolve the blocking issues and get the tests passing so we can merge this security improvement.