fix(security): replace in-memory rate limiting with persistent DB-backed limiter

- Add LoginAttempt model to Prisma schema with migration
- Create rate-limit.ts utility (10 attempts / 15 min window, DB-backed)
- Apply rate limiting to login endpoint (replaces in-memory Map)
- Apply rate limiting to change-password endpoint (previously unprotected)
- Rate limit state survives server restarts and works across multiple instances

app/prisma/migrations/20250519123456_add_login_attempts/migration.sql

@@ -0,0 +1,7 @@
+CREATE TABLE "LoginAttempt" (
+    "id" TEXT NOT NULL,
+    "key" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "LoginAttempt_pkey" PRIMARY KEY ("id")
+);
+CREATE INDEX "LoginAttempt_key_createdAt_idx" ON "LoginAttempt"("key", "createdAt");

app/prisma/schema.prisma

@@ -255,3 +255,11 @@ model AuditLog {
   metadata    Json?
   createdAt   DateTime @default(now())
 }
+
+model LoginAttempt {
+  id        String   @id @default(cuid())
+  key       String   // IP address or identifier
+  createdAt DateTime @default(now())
+
+  @@index([key, createdAt])
+}