/auth/login and /auth/refresh had no throttling, allowing unbounded password brute-force attempts. Add a process-local fixed-window limiter (10 requests/minute per client IP) in front of both. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
