Sign-in rate limit moved to Redis (no more reset on deploy)

The auth rate limiter used to live in process memory, which had two embarrassing properties: every container restart wiped the counter (so an attacker could time their attempts to coincide with deploys), and a multi-replica deployment would split the count across replicas instead of summing them.

It now runs against Redis, shared across replicas and durable across restarts. If Redis is unreachable the request fails closed — no silent fallback to the old in-memory store, because that would be exactly the bug we just fixed in disguise.

Most users will never notice this. If you've ever been mysteriously rate-limited despite having only made one or two attempts, that's the thing it fixes — the counter no longer carries garbage from a previous user on the same IP.