Draft: feat: add brute force protection with account lockout

Problem

Login endpoint allowed unlimited authentication attempts, enabling brute force attacks.

Solution

Added Redis-backed rate limiting to track failed login attempts per username. After 5 failures within 15 minutes, the account is temporarily locked for 15 minutes. Thresholds are configurable via [brute_force] section in config.ini.

Changes

• New rate_limiter.py module with Redis-backed attempt tracking
• Modified validate_and_login() to check lockout status and record failures
• Added [brute_force] configuration section with max_attempts, lockout_duration, attempt_window