No rate limiting on public endpoints

[HellFelix]

No per-IP or per-session rate limiting exists on any endpoint. Endpoints of particular concern:

• POST /api/voter/register — triggers BLS blind signing on trustauth
• POST /api/voter/submit — adds entries to the in-memory vote list
• POST /api/login — voter slot claiming
• POST /api/create-meeting — allocates in-memory meeting state

A sustained flood against any of these can exhaust memory.

Fix: Add a rate-limiting middleware layer (e.g. tower-governor) on public routes.

[HellFelix]

Proposed fix from fa85c1b: Rate limiting has been added to all public API endpoints on both rustsystem-server (port 1443) and rustsystem-trustauth (port 2443).

Each public IP is allowed 10 requests per second with a burst of 30. Exceeding the limit returns 429 Too Many Requests with a Retry-After header indicating when the client may retry. Static file serving on the
server is unaffected — the limiter is scoped to /api routes only. The internal mTLS ports (1444, 2444) are also unaffected, as they only receive server-to-server traffic.

The rate limiter stores one entry per seen IP address. To prevent unbounded memory growth over long-running meetings, a background task runs every 60 seconds and evicts entries that are no longer near their
limit.

[HellFelix]

Further refined with c1279d9. Rate limiting is now only applied when is_secure, which means that tests now pass locally (not running into 429).

[HellFelix]

Merged to stage bc15125