Labels: stage-4, security, backend Depends on: S4.1-04, S4.1-06 Acceptance Criteria: - [ ] Login and guess endpoints are rate-limited. - [ ] 429 behavior is deterministic and tested. - [ ] Limits are configurable by environment. - [ ] Logging captures throttle events for ops visibility.
Labels: stage-4, security, backend
Depends on: S4.1-04, S4.1-06
Acceptance Criteria: