fix(api): enforce shared global rate limit

[listlessbird]

Summary

• wire GLOBAL_LIMIT into SlowAPI limiter as an application-wide shared limit
• add SlowAPIMiddleware so application limits are enforced
• keep memory:// backend for current single-deployment setup

Validation

• uv run ruff check src/api/rate_limit.py src/api/main.py

Closes #20

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9229514767

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a shared key for the global application limit

application_limits=[GLOBAL_LIMIT] is still keyed by the limiter key_func, and _get_connecting_ip returns a per-client IP, so this change enforces 200/minute per IP instead of a single shared cap across all clients. In practice, aggregate traffic can exceed the intended global ceiling whenever requests come from multiple client IPs (or a distributed attacker), so the DOS guard described by GLOBAL_LIMIT is not actually enforced.

Useful? React with 👍 / 👎.