Implement a token-bucket rate limiter for aperture that limits requests
per service endpoint. The rate limiter uses golang.org/x/time/rate and
provides per-key limiting with L402 token ID extraction (falling back
to IP address for unauthenticated requests).
Key components:
- RateLimitConfig: Configuration struct with path regex, requests/per/burst
- RateLimiter: Manages per-key rate.Limiter instances with LRU eviction
to prevent memory exhaustion (default 10,000 entries)
- Prometheus metrics: allowed/denied counters, cache size, evictions
This addresses GitHub issue #200 for DoS protection on authenticated
endpoints that are free of charge after L402 payment.
