fix: replace broken DashMap rate limiting with tower-governor middleware

- Replace custom DashMap<IpAddr, Instant> rate limiting in enrollment.rs
  that fell back to 0.0.0.0 when X-Forwarded-For was missing, causing
  ALL enrollment traffic to share a single global rate limit bucket
- Use tower_governor with SmartIpKeyExtractor for proper per-IP rate
  limiting that respects X-Forwarded-For headers (critical behind HAProxy)
- Add three configurable rate limit tiers via config.toml:
  * Enrollment: 5 req/min per IP, burst 3 (strict)
  * Auth: 20 req/min per IP, burst 10 (moderate)
  * API: 120 req/min per IP, burst 30 (normal)
- Remove enrollment_rate_limits from AppState and cleanup task
- Remove manual rate limit code from enrollment.rs (headers param, IP extraction)
- Add into_make_service_with_connect_info for ConnectInfo fallback
- Add RateLimitConfig to AppConfig with sensible defaults

Fixes: #1

config/config.example.toml

@@ -107,3 +107,20 @@ web_tls_key_path  = "/etc/patch-manager/tls/web.key"
 # The backend sends tokens as query parameters to this URL.
 # Default: "http://localhost:5173/auth/sso/callback" (Vite dev server)
 sso_callback_url = "http://localhost:5173/auth/sso/callback"
+
+# ============================================================
+# Rate Limiting
+# ============================================================
+[rate_limit]
+# Enrollment endpoint: requests per minute per IP (default: 5)
+enrollment_rpm = 5
+# Enrollment burst allowance (default: 3)
+enrollment_burst = 3
+# Public auth endpoints: requests per minute per IP (default: 20)
+auth_rpm = 20
+# Auth burst allowance (default: 10)
+auth_burst = 10
+# Authenticated API: requests per minute per IP (default: 120)
+api_rpm = 120
+# API burst allowance (default: 30)
+api_burst = 30