Rate limiting and basic quotas

**Description**

Protect the API with rate limits and quotas per client.

**Acceptance Criteria**

- [ ] Global and per-client rate limits in place
- [ ] Quota counters persisted/reset policy defined
- [ ] 429 responses with headers (remaining/reset)
- [ ] Tests for limits and bursty traffic