# Change: Add Rate Limiting for API Security

## Why
Login endpoint and other sensitive APIs lack rate limiting protection, making them vulnerable to brute force attacks and DoS attempts. This is a critical security gap identified in the code review (HIGH-003).

## What Changes
- Add slowapi dependency for rate limiting
- Implement rate limiting middleware
- Apply rate limits to login endpoint (5 requests/minute)
- Apply rate limits to other sensitive endpoints
- Return proper 429 Too Many Requests responses

## Impact
- Affected specs: user-auth
- Affected code:
  - `backend/requirements.txt` - add slowapi
  - `backend/app/main.py` - initialize limiter
  - `backend/app/api/auth/router.py` - apply rate limits