Bug

The global API rate limiter returns a plain-text response when the request limit is exceeded, while the rest of the API uses JSON success/failure envelopes.

Reproduction against current origin/main:

GET /api/users repeated until the global limit is exceeded

Observed response after exceeding the limit:

HTTP 429
content-type: text/html; charset=utf-8
Too many requests, please try again later.

Impact

• API clients expecting JSON cannot parse rate-limit errors consistently.
• Rate-limit failures do not use the same { success: false, message } envelope as other API errors.
• Client-side error handling must special-case one middleware response.

Expected behavior

Rate-limit responses should return HTTP 429 using the API failure envelope, for example:

{ "success": false, "message": "Too many requests" }

Proposed fix

• Configure the rate limiter with a custom handler.
• Return the existing API failure envelope for rate-limit responses.
• Add a regression test that exhausts the limiter and verifies HTTP 429 JSON output.

This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.

Parent bounty: #743.