Rate Limiter Implementation

[mftee]

Complete the stub RateLimitService in rate_limit.rs and integrate it as an Axum middleware layer so that individual IP addresses cannot exceed a configurable number of requests per second.

Requirements:

• Complete RateLimitService using the existing governor crate dependency
• Implement check_rate_limit(ip: &str) -> bool — returns true if the request is allowed, false if rate-limited
• Create an Axum middleware RateLimitLayer that:
  • Extracts the client IP from the X-Forwarded-For header (falling back to the connection remote address)
  • Calls check_rate_limit for the IP
  • Returns 429 Too Many Requests with a Retry-After header if limited
• Configure rate limits via environment variables:
  • RATE_LIMIT_PER_SECOND (default: 10)
  • RATE_LIMIT_BURST (default: 20)
• Apply the middleware to all routes except GET /health and GET /metrics

Acceptance Criteria:

• Sending more than RATE_LIMIT_PER_SECOND requests per second from the same IP returns 429
• Retry-After header is present on 429 responses
• Health and metrics endpoints are exempt from rate limiting
• Unit tests verify the IP extraction logic and the 429 response format