chore: release v3.1.0 with per-IP rate limiting

Author: Robbie1977

.gitignore

@@ -86,4 +86,6 @@ ehthumbs.db
 Thumbs.db
 
 # Local Claude workspace settings
-.claude/
+.claude/
+
+data/

Dockerfile

@@ -2,6 +2,8 @@ FROM node:18-alpine
 
 WORKDIR /app
 
+RUN mkdir -p /app/data
+
 COPY package*.json ./
 
 RUN npm install

RELEASE_NOTES.md

@@ -4,6 +4,9 @@ This file summarizes the release notes inferred from git tags (tag message/annot
 
 ---
 
+## v3.1.0
+- Release v3.1.0: Add per-IP daily rate limiting and rate-info endpoint; backend data storage in data/rate-limits.json; client-side usage counter in UI
+
 ## v3.0.3
 - Release v3.0.3: Fix thumbnail handling by avoiding ID linkification inside existing URLs
 

app/api/chat/route.js

@@ -3,6 +3,7 @@ import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/
 import fs from 'fs'
 import path from 'path'
 import axios from 'axios'
+import { checkAndIncrement } from '../../../lib/rateLimit.js'
 
 // GA4 Analytics configuration
 const GA_MEASUREMENT_ID = process.env.GA_MEASUREMENT_ID || 'G-K7DDZVVXM7'
@@ -738,11 +739,22 @@ STRATEGY:
 6. For connectivity queries: If a neuron class (IsClass: true) doesn't have connectivity data, look at individual neuron instances from connectomes.
 7. Construct VFB URLs: https://v2.virtualflybrain.org/org.geppetto.frontend/geppetto?id=<id>&i=<template_id>,<image_ids>
 
-DISPLAYING RESULTS:
-- Use the human-readable name as markdown link text, not bare IDs. Example: [medulla](https://virtualflybrain.org/reports/FBbt_00003748) not FBbt_00003748.
-- When vfb_get_term_info returns thumbnail URLs, include them using markdown image syntax: ![label](thumbnail_url)
-- Only use thumbnail URLs actually present in the tool response data. Never invent URLs.
-- The chat UI renders thumbnails as compact images that expand on hover.
+FORMATTING VFB REFERENCES:
+When referencing VFB entities, ALWAYS use markdown links with the descriptive name as link text, NOT bare IDs in parentheses.
+- CORRECT: [ME on JRC2018Unisex adult brain](https://virtualflybrain.org/reports/VFB_00102107)
+- WRONG: ME on JRC2018Unisex adult brain (VFB_00102107)
+- WRONG: ME on JRC2018Unisex adult brain ([VFB_00102107](https://virtualflybrain.org/reports/VFB_00102107))
+The user wants to see human-readable names as clickable links, not cryptic IDs. The same applies to FBbt anatomy terms — use the term name as the link text: [medulla](https://virtualflybrain.org/reports/FBbt_00003748), not FBbt_00003748.
+
+DISPLAYING IMAGES:
+When vfb_get_term_info returns data with thumbnail URLs, you MUST include them in your response using markdown image syntax.
+Format each VFB entity as: thumbnail image followed by a descriptive link — do NOT repeat the name as plain text. Example:
+- ![ME on JRC2018Unisex](https://www.virtualflybrain.org/data/VFB/i/0010/2107/thumbnail.png) [ME on JRC2018Unisex adult brain](https://virtualflybrain.org/reports/VFB_00102107)
+NOT:
+- ME on JRC2018Unisex adult brain ![ME](thumbnail_url) [ME on JRC2018Unisex adult brain](url)
+The name should appear ONLY ONCE as the link text next to the thumbnail. Do not write it as plain text before the image.
+ONLY use thumbnail URLs that are actually present in the vfb_get_term_info response data. NEVER invent or guess thumbnail URLs.
+The user's chat interface renders these as compact thumbnails that expand on hover — they are a key visual feature, so always include them when available.
 
 SUGGESTED FOLLOW-UP QUESTIONS:
 At the end of your responses, when appropriate (not always necessary), suggest 2-4 follow-up questions the user might want to ask next. Include these as plain-text URLs in one of these formats:
@@ -773,6 +785,27 @@ export async function POST(request) {
   const xForwardedFor = request.headers.get('x-forwarded-for') || ''
   const clientIp = (xForwardedFor.split(',')[0] || '').trim() || request.headers.get('x-real-ip') || 'unknown'
 
+  const rateCheck = checkAndIncrement(clientIp)
+  if (!rateCheck.allowed) {
+    const encoder = new TextEncoder()
+    const stream = new ReadableStream({
+      start(controller) {
+        try {
+          controller.enqueue(encoder.encode(`event: error\ndata: ${JSON.stringify({ message: `Daily rate limit exceeded (${rateCheck.limit} requests per day). Please try again tomorrow.`, used: rateCheck.used, limit: rateCheck.limit })}\n\n`))
+        } catch (e) { /* ignore */ }
+        controller.close()
+      }
+    })
+
+    return new Response(stream, {
+      headers: {
+        'Content-Type': 'text/event-stream',
+        'Cache-Control': 'no-cache',
+        'Connection': 'keep-alive'
+      }
+    })
+  }
+
   const { messages, scene } = await request.json()
 
   const message = messages[messages.length - 1].content

app/api/rate-info/route.js

@@ -0,0 +1,10 @@
+import { getRateInfo } from '../../../lib/rateLimit.js'
+import { NextResponse } from 'next/server'
+
+export async function GET(request) {
+  const xForwardedFor = request.headers.get('x-forwarded-for') || ''
+  const clientIp = (xForwardedFor.split(',')[0] || '').trim() || request.headers.get('x-real-ip') || 'unknown'
+
+  const info = getRateInfo(clientIp)
+  return NextResponse.json(info)
+}

app/page.js

@@ -80,6 +80,7 @@ export default function Home() {
   const [scene, setScene] = useState({ id: existingId, i: existingI })
   const [isThinking, setIsThinking] = useState(false)
   const [thinkingDots, setThinkingDots] = useState('.')
+  const [rateInfo, setRateInfo] = useState({ used: 0, limit: 50, remaining: 50 })
   const [thinkingMessage, setThinkingMessage] = useState('Thinking')
   const chatEndRef = useRef(null)
   const msgIdRef = useRef(0) // stable, incrementing message ID
@@ -93,14 +94,11 @@ export default function Home() {
     if (!text) return text
 
     // Strip OpenAI Responses API citation artifacts in all known formats
-    // Private Use Area chars (U+E200-E2FF) used as citation delimiters by OpenAI
-    let cleaned = text.replace(/[\uE200-\uE2FF]cite[\uE200-\uE2FF]\w*[\uE200-\uE2FF]/g, '') // PUA-bracketed citations e.g. \uE200cite\uE202turn1data\uE201
-    cleaned = cleaned.replace(/\u3010[^\u3011]*\u3011/g, '')    // 【...】 bracketed citations
-    cleaned = cleaned.replace(/[\uE200-\uE2FF]/g, '')           // any remaining PUA chars
-    cleaned = cleaned.replace(/citeturn[\w?]*/g, '')             // bare citeturn artifacts
-    cleaned = cleaned.replace(/\bcite(?=\[|https?:\/\/)/g, '')   // orphaned "cite" before links
-    // Clean up leftover whitespace from stripped artifacts
-    cleaned = cleaned.replace(/ {2,}/g, ' ')
+    let cleaned = text.replace(/\u3010[^\u3011]*\u3011/g, '')  // 【...】 bracketed citations
+    cleaned = cleaned.replace(/citeturn[\w?]*\d*/g, '')         // citeturn0search0, citeturn0?, citeturn0vfbsomething etc.
+    cleaned = cleaned.replace(/\bcite(?=\[|https?:\/\/)/g, '')  // orphaned "cite" before links
+    // Clean up leftover whitespace/punctuation from stripped artifacts
+    cleaned = cleaned.replace(/ {2,}/g, ' ').replace(/\.\s*\?\s*/g, '. ').replace(/\. \./g, '.')
 
     const urlPlaceholders = []
     const URL_PLACEHOLDER = '\x00URL'
@@ -149,7 +147,25 @@ export default function Home() {
     }
   }, [isThinking])
 
+  const fetchRateInfo = useCallback(async () => {
+    try {
+      const response = await fetch('/api/rate-info')
+      if (!response.ok) throw new Error(`HTTP ${response.status}`)
+      const data = await response.json()
+      setRateInfo({
+        used: data.used ?? 0,
+        limit: data.limit ?? 50,
+        remaining: data.remaining ?? Math.max(0, (data.limit ?? 50) - (data.used ?? 0))
+      })
+    } catch (error) {
+      // Keep existing state on error; not critical for user workflow
+      console.error('Failed to fetch rate info', error)
+    }
+  }, [])
+
   useEffect(() => {
+    fetchRateInfo()
+
     if (initialQuery) {
       handleSend()
     } else {
@@ -170,7 +186,7 @@ Here are some example queries you can try:
 
 Feel free to ask about neural circuits, gene expression, connectome data, or any VFB-related topics!`)])
     }
-  }, [])
+  }, [fetchRateInfo])
 
   const handleSend = async (messageText = null) => {
     const textToSend = (typeof messageText === 'string' ? messageText : null) || input
@@ -219,10 +235,12 @@ Feel free to ask about neural circuits, gene expression, connectome data, or any
                 setMessages(prev => [...prev, makeMsg('assistant', data.response, { images: data.images })])
                 if (data.newScene) setScene(data.newScene)
                 setIsThinking(false)
+                fetchRateInfo()
                 return
               } else if (currentEvent === 'error') {
                 setMessages(prev => [...prev, makeMsg('assistant', data.message)])
                 setIsThinking(false)
+                fetchRateInfo()
                 return
               }
             } catch (parseError) {
@@ -234,6 +252,7 @@ Feel free to ask about neural circuits, gene expression, connectome data, or any
     } catch (error) {
       setMessages(prev => [...prev, makeMsg('assistant', 'Sorry, there was an error processing your request. Please try again.')])
       setIsThinking(false)
+      fetchRateInfo()
     }
   }
 
@@ -668,6 +687,7 @@ Feel free to ask about neural circuits, gene expression, connectome data, or any
         display: 'flex',
         gap: '8px',
         marginTop: '8px',
+        alignItems: 'center',
         flexShrink: 0
       }}>
         <input
@@ -686,6 +706,15 @@ Feel free to ask about neural circuits, gene expression, connectome data, or any
             outline: 'none'
           }}
         />
+        <div style={{
+          fontSize: '10px',
+          color: '#333',
+          opacity: 0.4,
+          fontFamily: 'monospace',
+          whiteSpace: 'nowrap'
+        }}>
+          {`${rateInfo.used}/${rateInfo.limit}`}
+        </div>
         <button
           onClick={handleSend}
           disabled={isThinking}

docker-compose.yml

@@ -10,3 +10,10 @@ services:
       - OPENAI_API_KEY=${OPENAI_API_KEY}
       - OPENAI_BASE_URL=${OPENAI_BASE_URL:-https://api.openai.com/v1}
       - OPENAI_MODEL=${OPENAI_MODEL:-gpt-4o-mini}
+      - RATE_LIMIT_PER_IP=${RATE_LIMIT_PER_IP:-50}
+    volumes:
+      - rate-data:/app/data
+
+volumes:
+  rate-data:
+    driver: local

lib/rateLimit.js

@@ -0,0 +1,44 @@
+import fs from 'fs'
+import path from 'path'
+
+const DATA_DIR = process.env.RATE_LIMIT_DATA_DIR || path.join(process.cwd(), 'data')
+const DATA_FILE = path.join(DATA_DIR, 'rate-limits.json')
+export const RATE_LIMIT = parseInt(process.env.RATE_LIMIT_PER_IP) || 50
+
+function readData() {
+  const today = new Date().toISOString().slice(0, 10)
+  try {
+    const raw = fs.readFileSync(DATA_FILE, 'utf8')
+    const data = JSON.parse(raw)
+    if (data.date !== today) {
+      return { date: today, ips: {} }
+    }
+    return data
+  } catch {
+    return { date: today, ips: {} }
+  }
+}
+
+function writeData(data) {
+  fs.mkdirSync(DATA_DIR, { recursive: true })
+  const tmp = DATA_FILE + '.tmp'
+  fs.writeFileSync(tmp, JSON.stringify(data), 'utf8')
+  fs.renameSync(tmp, DATA_FILE)
+}
+
+export function checkAndIncrement(clientIp) {
+  const data = readData()
+  const used = data.ips[clientIp] || 0
+  if (used >= RATE_LIMIT) {
+    return { allowed: false, used, limit: RATE_LIMIT }
+  }
+  data.ips[clientIp] = used + 1
+  writeData(data)
+  return { allowed: true, used: used + 1, limit: RATE_LIMIT }
+}
+
+export function getRateInfo(clientIp) {
+  const data = readData()
+  const used = data.ips[clientIp] || 0
+  return { used, limit: RATE_LIMIT, remaining: RATE_LIMIT - used }
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "vfb-chat-client",
-  "version": "3.0.4",
+  "version": "3.1.0",
   "private": true,
   "scripts": {
     "dev": "next dev",