feat: add per-endpoint rate limiting for sensitive operations (PENTEST-04)
New EndpointRateLimiter in session.rs tracks requests per (method, IP)
with configurable limits and time windows:
Financial operations (5 req/5min):
- wallet.send, lnd.sendcoins, lnd.payinvoice, lnd.create-psbt,
lnd.finalize-psbt, wallet.ecash-send
Channel operations (3 req/5min):
- lnd.openchannel, lnd.closechannel
Backup operations (2-3 req/10min):
- backup.create, backup.restore
Container/package installs (5 req/5min):
- container-install, package.install
System operations (2 req/5min):
- system.reboot, system.shutdown, update.apply
Identity/auth (3-10 req/5min):
- identity.create, identity.issue-credential, auth.changePassword
Returns HTTP 429 with Retry-After header when limits exceeded.
Verified on live server: auth.changePassword blocks at 4th request,
lnd.sendcoins blocks at 6th request.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
de6e25221c