Add rate limiting and resource-abuse protection guidance

[Subhransu-De]

What to build

Add a template-level answer for rate limiting and resource-abuse protection. This can be implemented in app middleware or documented as an infrastructure concern, but the production default must not be ambiguous.

Acceptance criteria

• Documentation states where rate limiting should be enforced: app, gateway, reverse proxy, or platform.
• Example limits are provided for API routes and authentication-sensitive routes.
• If implemented in-app, tests cover allowed and limited requests.
• If delegated to infrastructure, sample Nginx/Traefik/Kubernetes/cloud-gateway guidance is provided.
• The approach addresses OWASP-style unrestricted resource consumption risk.

Blocked by

None - can start immediately.