Add enterprise API rate-limit guard

[charlie12520]

/claim #19

Summary:

• Adds a distinct enterprise-api-rate-limit-guard/ Enterprise Tooling slice for issue Enterprise Tooling #19.
• Evaluates institutional API and webhook integrations before production activation.
• Reconciles contracted sustained/burst/daily/concurrent limits, endpoint/export scopes, Retry-After/backoff behavior, idempotency coverage, private-project safeguards, webhook signing/rotation/retry readiness, owner contacts, sandbox load tests, and admin dashboard evidence.
• Emits deterministic JSON, Markdown, SVG, and MP4 review artifacts from synthetic data only.

Acceptance criteria reviewed:

• Issue Enterprise Tooling #19 asks for enterprise admin dashboards, secure APIs/webhooks, export pipelines, usage visibility, compliance tracking, and integration controls.
• Algora requires /attempt #19, /claim #19, and a short demo video. /attempt #19 was posted before implementation, this body includes /claim #19, and reports/demo.mp4 is included.
• No CONTRIBUTING.md exists in this repository; the issue body and Algora instructions were used as the governing guidelines.

Validation:

• cd enterprise-api-rate-limit-guard && npm run check -> passed
• cd enterprise-api-rate-limit-guard && npm test -> enterprise-api-rate-limit-guard tests passed
• cd enterprise-api-rate-limit-guard && npm run demo -> generated JSON/Markdown/SVG artifacts; status hold_integrations, blockers 11, warnings 12
• cd enterprise-api-rate-limit-guard && npm run demo:video -> generated reports/demo.mp4
• Demo video metadata check -> 144 frames, 24fps, 1280x720, 1,216,323 bytes
• python -m py_compile make-demo-video.py -> passed
• git diff --check and git diff --cached --check -> passed before commit

Duplicate-scope review:

• Checked current open PR/issue activity for API rate, rate limit, throttle, burst, backoff, MFA/session, and adjacent Enterprise Tooling #19 enterprise slices.
• This module is separate from webhook replay, connector certification, API change governance, secret rotation, compute quota, payload redaction, vendor DPA, cohort privacy, and broader enterprise dashboard/export submissions.

Safety:

• Synthetic sample data only.
• No credentials, private customer data, live API calls, provisioned API keys, webhook delivery, payment processor calls, bank/ACH/wallet actions, SSO, SCIM, ERP, Stripe, PayPal, or external service calls are used.