fix: scope optional agent auth rate limiting to X-Agent-Token header only

Prevents normal user requests with Authorization: Bearer from being
throttled by the agent auth limiter in the shared require_user_or_agent
dependency path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/core/agent_auth.py

@@ -170,8 +170,10 @@ async def get_agent_auth_context_optional(
                 bool(authorization),
             )
         return None
-    # Rate-limit when a token is presented to prevent brute-force guessing
-    # via the optional auth path.
+    # Rate-limit when an agent token header is presented to prevent brute-force
+    # guessing via the optional auth path. Scoped to X-Agent-Token so that
+    # normal user Authorization headers are not throttled.
+    if agent_token:
         client_ip = request.client.host if request.client else "unknown"
         if not agent_auth_limiter.is_allowed(client_ip):
             raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS)