add systemd service unit and rate limit headers

Systemd deployment:
- examples/flaskpaste.service with security hardening
- examples/flaskpaste.env with all config options
- README deployment section updated

Rate limit headers (X-RateLimit-*):
- Limit, Remaining, Reset on 201 and 429 responses
- Per-IP tracking with auth multiplier
- api.md documented

tests/test_rate_limiting.py

@@ -65,6 +65,33 @@ class TestRateLimiting:
         finally:
             app.config["RATE_LIMIT_MAX"] = original_max
 
+    def test_rate_limit_headers_on_success(self, client, app):
+        """Successful responses include rate limit headers."""
+        original_max = app.config["RATE_LIMIT_MAX"]
+        app.config["RATE_LIMIT_MAX"] = 5
+
+        try:
+            # First request should include rate limit headers
+            response = client.post("/", data="first", content_type="text/plain")
+            assert response.status_code == 201
+
+            # Check rate limit headers
+            assert "X-RateLimit-Limit" in response.headers
+            assert "X-RateLimit-Remaining" in response.headers
+            assert "X-RateLimit-Reset" in response.headers
+
+            # Verify values
+            assert response.headers["X-RateLimit-Limit"] == "5"
+            assert response.headers["X-RateLimit-Remaining"] == "4"  # 5 - 1 = 4
+
+            # Reset timestamp should be a valid unix timestamp
+            reset = int(response.headers["X-RateLimit-Reset"])
+            import time
+
+            assert reset > int(time.time())  # Should be in the future
+        finally:
+            app.config["RATE_LIMIT_MAX"] = original_max
+
     def test_rate_limit_auth_multiplier(self, client, app, auth_header):
         """Authenticated users get higher rate limits."""
         original_max = app.config["RATE_LIMIT_MAX"]