Security hardening.
- Login returns a generic 401 for both invalid credentials and disabled accounts, removing an account-status enumeration oracle (CWE-204)
- Optional rate_limiter hook on login and password-reset-request endpoints (CWE-307)
- Email helpers raise if the URL template still points at the example.com placeholder