refactor(api): add redis-backed rate limiting fallback

packages/api/src/trpc.ts

@@ -95,7 +95,7 @@ const isE2eTestMode = process.env["E2E_TEST_MODE"] === "true";
  * Protected procedure — requires authenticated session AND a valid DB user record.
  * This prevents stale sessions from accessing data after the DB user is deleted.
  */
-export const protectedProcedure = t.procedure.use(withLogging).use(({ ctx, next }) => {
+export const protectedProcedure = t.procedure.use(withLogging).use(async ({ ctx, next }) => {
   if (!ctx.session?.user) {
     throw new TRPCError({ code: "UNAUTHORIZED", message: "Authentication required" });
   }
@@ -105,7 +105,7 @@ export const protectedProcedure = t.procedure.use(withLogging).use(({ ctx, next
 
   // Rate limit by user ID
   if (!isE2eTestMode) {
-    const rateLimitResult = apiRateLimiter(ctx.dbUser.id);
+    const rateLimitResult = await apiRateLimiter(ctx.dbUser.id);
     if (!rateLimitResult.allowed) {
       throw new TRPCError({
         code: "TOO_MANY_REQUESTS",