Codex [ FastAPI ] Add HTTPBasic brute force protection

[cerredz]

/claim #800

Summary:

• Adds opt-in HTTPBasicWithProtection while leaving existing HTTPBasic behavior unchanged.
• Tracks failed authentication attempts per client IP in a configurable time window and returns 429 with Retry-After when locked out.
• Resets the failure counter after successful credential validation.
• Adds hash_password and verify_password helpers using hashlib PBKDF2 plus constant-time comparison.
• Exports the new class from fastapi.security and adds focused regression coverage.

Validation:

• uv run python -m pytest tests/test_security_http_basic_protection.py tests/test_security_http_basic_optional.py tests/test_security_http_basic_realm.py tests/test_security_http_basic_realm_description.py -q
• uv run ruff check fastapi/security/http.py fastapi/security/__init__.py tests/test_security_http_basic_protection.py
• uv run ruff format --check fastapi/security/http.py fastapi/security/__init__.py tests/test_security_http_basic_protection.py
• python -m compileall -q fastapi/security/http.py fastapi/security/__init__.py tests/test_security_http_basic_protection.py
• git diff --check HEAD~1..HEAD

Note: I intentionally did not add .generation_meta.json because it asks for full prompt/runtime/session provenance rather than product code.

[github-actions]

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting. See CONTRIBUTING.md for guidelines.