Great breakdown. The point about consistent error envelopes is something I wish more teams internalized early. I've seen so many APIs where every endpoint returns errors in a different shape, making client-side error handling a nightmare. One pattern I've found useful when building automation-heavy backends is wrapping idempotency keys with a hash of the request body — that way you catch accidental duplicates even when the client forgets to send the key. Do you have a preference between middleware-level vs route-level rate limiting in Next.js API routes?