Add rate limiting middleware to prevent DoS attacks

[NP-compete]

Summary

The server lacks rate limiting, making it vulnerable to denial-of-service attacks.

Current State

No rate limiting middleware exists. Any client can send unlimited requests.

Expected Outcome

Add rate limiting middleware with configurable limits:

Implementation Options

Option A: Use existing library (recommended)

```go
import "golang.org/x/time/rate"

func RateLimitMiddleware(requestsPerSecond float64, burst int) func(http.Handler) http.Handler {
limiter := rate.NewLimiter(rate.Limit(requestsPerSecond), burst)

return func(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if !limiter.Allow() {
            http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
            return
        }
        next.ServeHTTP(w, r)
    })
}

}
```

Option B: Per-client rate limiting

```go
import "github.com/go-chi/httprate"

// In router.go
r.Use(httprate.LimitByIP(100, time.Minute))
```

Configuration

Add to `Config` struct:

```go
type Config struct {
// ... existing fields
RateLimitEnabled bool `mapstructure:"RATE_LIMIT_ENABLED"`
RateLimitPerSecond float64 `mapstructure:"RATE_LIMIT_PER_SECOND"`
RateLimitBurst int `mapstructure:"RATE_LIMIT_BURST"`
}
```

Defaults

• `RATE_LIMIT_ENABLED`: true
• `RATE_LIMIT_PER_SECOND`: 10
• `RATE_LIMIT_BURST`: 20

Acceptance Criteria

• Rate limiting middleware created
• Configurable via environment variables
• Returns 429 Too Many Requests when limit exceeded
• Per-IP or per-client limiting (not global)
• Unit tests for rate limiting
• Documentation updated