feat(api): add Phase 1 API enhancements for reliability and tracing

- Add X-Request-ID header middleware for request tracing
  - Extracts from incoming headers or generates short UUID
  - Included in all error responses for debugging

- Add rate limit headers (X-RateLimit-Limit/Remaining/Reset)
  - Currently informational, configurable via API.RateLimitPerHour
  - Prepared for future enforcement

- Add chunk checksum verification for uploads
  - Optional X-Chunk-Checksum header with SHA-256 hash
  - Verifies data integrity during chunked uploads

- Standardize error responses with RFC 7807 Problem Details
  - Added type, title, status, detail, instance fields
  - Maintains backward compatibility with legacy fields

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

modules/setting/api.go

@@ -19,6 +19,8 @@ var API = struct {
 	DefaultGitTreesPerPage int
 	DefaultMaxBlobSize     int64
 	DefaultMaxResponseSize int64
+	RateLimitEnabled       bool
+	RateLimitPerHour       int
 }{
 	EnableSwagger:          true,
 	SwaggerURL:             "",
@@ -27,6 +29,8 @@ var API = struct {
 	DefaultGitTreesPerPage: 1000,
 	DefaultMaxBlobSize:     10485760,
 	DefaultMaxResponseSize: 104857600,
+	RateLimitEnabled:       false,
+	RateLimitPerHour:       5000,
 }
 
 func loadAPIFrom(rootCfg ConfigProvider) {

modules/web/middleware/rate_limit.go

@@ -0,0 +1,52 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package middleware
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"code.gitea.io/gitea/modules/setting"
+)
+
+// RateLimitHeaders is the header names for rate limit information
+const (
+	RateLimitHeader          = "X-RateLimit-Limit"
+	RateLimitRemainingHeader = "X-RateLimit-Remaining"
+	RateLimitResetHeader     = "X-RateLimit-Reset"
+)
+
+// RateLimitInfo returns a middleware that sets rate limit headers.
+// This is currently informational only - actual rate limiting enforcement
+// can be added in the future based on the RateLimitEnabled setting.
+func RateLimitInfo() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			// Set informational rate limit headers
+			// These tell clients what to expect even if enforcement isn't active
+			limit := setting.API.RateLimitPerHour
+
+			// Calculate reset time (next hour boundary)
+			now := time.Now()
+			resetTime := now.Truncate(time.Hour).Add(time.Hour)
+
+			w.Header().Set(RateLimitHeader, strconv.Itoa(limit))
+
+			// When rate limiting is not enforced, remaining equals limit
+			// Future: implement actual tracking per user/IP
+			remaining := limit
+			if setting.API.RateLimitEnabled {
+				// TODO: Implement actual rate limit tracking
+				// For now, just show full quota when enabled
+				remaining = limit
+			}
+
+			w.Header().Set(RateLimitRemainingHeader, strconv.Itoa(remaining))
+			w.Header().Set(RateLimitResetHeader, strconv.FormatInt(resetTime.Unix(), 10))
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}

modules/web/middleware/request_id.go

@@ -0,0 +1,89 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"unicode"
+
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/google/uuid"
+)
+
+type requestIDKeyType struct{}
+
+var requestIDKey = requestIDKeyType{}
+
+// RequestIDHeader is the header name for request ID
+const RequestIDHeader = "X-Request-ID"
+
+// maxRequestIDByteLength is the maximum length for a request ID
+const maxRequestIDByteLength = 40
+
+// GetRequestID returns the request ID from context
+func GetRequestID(ctx context.Context) string {
+	if id, ok := ctx.Value(requestIDKey).(string); ok {
+		return id
+	}
+	return ""
+}
+
+// isSafeRequestID checks if the request ID contains only printable characters
+func isSafeRequestID(id string) bool {
+	for _, r := range id {
+		if !unicode.IsPrint(r) {
+			return false
+		}
+	}
+	return true
+}
+
+// parseOrGenerateRequestID extracts request ID from headers or generates a new one
+func parseOrGenerateRequestID(req *http.Request) string {
+	// Try to get from configured headers
+	for _, key := range setting.Log.RequestIDHeaders {
+		if id := req.Header.Get(key); id != "" {
+			if isSafeRequestID(id) {
+				if len(id) > maxRequestIDByteLength {
+					return id[:maxRequestIDByteLength]
+				}
+				return id
+			}
+		}
+	}
+
+	// Also check X-Request-ID header explicitly
+	if id := req.Header.Get(RequestIDHeader); id != "" {
+		if isSafeRequestID(id) {
+			if len(id) > maxRequestIDByteLength {
+				return id[:maxRequestIDByteLength]
+			}
+			return id
+		}
+	}
+
+	// Generate a new request ID (short form of UUID)
+	id := uuid.New()
+	return id.String()[:8]
+}
+
+// RequestID returns a middleware that sets X-Request-ID header
+func RequestID() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			requestID := parseOrGenerateRequestID(req)
+
+			// Store in context
+			ctx := context.WithValue(req.Context(), requestIDKey, requestID)
+			req = req.WithContext(ctx)
+
+			// Set response header
+			w.Header().Set(RequestIDHeader, requestID)
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}