security: add rate limiting to agent auth and webhook ingest

Agent token auth performed O(n) PBKDF2 operations per request with no
rate limiting, enabling CPU exhaustion attacks. Webhook ingest had no
rate limits either. Add an in-memory token-bucket rate limiter:
- Agent auth: 20 requests/minute per IP
- Webhook ingest: 60 requests/minute per IP

Includes unit tests for the rate limiter.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/core/agent_auth.py

@@ -24,6 +24,7 @@ from sqlmodel import col, select
 
 from app.core.agent_tokens import verify_agent_token
 from app.core.logging import get_logger
+from app.core.rate_limit import agent_auth_limiter
 from app.core.time import utcnow
 from app.db.session import get_session
 from app.models.agents import Agent
@@ -112,6 +113,9 @@ async def get_agent_auth_context(
     session: AsyncSession = SESSION_DEP,
 ) -> AgentAuthContext:
     """Require and validate agent auth token from request headers."""
+    client_ip = request.client.host if request.client else "unknown"
+    if not agent_auth_limiter.is_allowed(client_ip):
+        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS)
     resolved = _resolve_agent_token(
         agent_token,
         authorization,