Rate-limit requests in `experiment`

[kcarnold]

A single user shouldn't be able to blow our OpenAI budget. One straightforward way to do this would be to fail requests that are coming too fast—if the user's last request was too recent, we could fail it with a ratelimit HTTP error code. The client may need to be tweaked to handle this gracefully.

This is a bit messy since we don't have clean user tracking right now. Maybe we prototype this in the NextJS app (experiment) using https://www.better-auth.com/docs/comparison or something.