chore: bump global API rate limit from 100 to 300 req/min

[piyalbasu]

Summary

Bumps the global per-IP rate limit on the main API server from 100 req/min to 300 req/min (src/route/index.ts:125). The /onramp/token route-level limit (20/min) is unchanged.

Rationale

• Sentry issue FREIGHTER-DMQ ("No error message" on /index.html) has been firing continuously since 2026-04-25 — its alert rule (≥10 errors/hr) trips multiple times per day, each with 100–141 accumulated events. These are overwhelmingly 429s from the extension hitting the global limit.
• The limiter keys on client IP, so users behind shared egress (corporate networks, mobile carrier CGNAT, VPNs) share one bucket. A wallet-open burst (~5–15 reqs: balances, prices, history, token metadata) plus poll loops means ~15–20 concurrent users behind one IP can legitimately hit 100/min.
• 300/min gives roughly 3× headroom while still being meaningfully restrictive — well below comparable public crypto data APIs (e.g. Coinbase public ≈ 600/min) and still effective against scripted abuse.
• If FREIGHTER-DMQ doesn't quiet within a day or two after deploy, the right next step is per-user/API-key bucketing rather than continuing to widen the IP bucket.

Test plan

• CI passes
• After deploy, monitor FREIGHTER-DMQ event rate in Sentry — expect a sharp drop
• Spot-check Grafana for any unusual upstream load (Horizon, RPC, price provider) now that more requests get through

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Raises the globally configured Fastify rate limit for the API server to reduce legitimate 429s for users sharing an egress IP (e.g., corporate NAT/VPN/CGNAT), while leaving stricter per-route limits (like /onramp/token) intact.

Changes:

• Increased the global per-IP rate limit from 100 to 300 requests per minute.
• Kept the existing 1-minute time window and Redis-backed limiter configuration unchanged.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.