Add rate limiting: global (120/min) and writes (30/min) policies

Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Budget.Api/Controllers/IncomesController.cs

@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 
 namespace Budget.Api.Controllers;
@@ -40,6 +41,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
     }
 
     [HttpPost]
+    [EnableRateLimiting("writes")]
     public async Task<IActionResult> Create(Guid budgetId, [FromBody] CreateIncomeRequest req)
     {
         if (TryGetUserId(out var userId) is { } err) return err;
@@ -60,6 +62,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
     }
 
     [HttpPut("{incomeId:guid}")]
+    [EnableRateLimiting("writes")]
     public async Task<IActionResult> Update(Guid budgetId, Guid incomeId, [FromBody] UpdateIncomeRequest req)
     {
         if (TryGetUserId(out var userId) is { } err) return err;
@@ -74,6 +77,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
     }
 
     [HttpDelete("{incomeId:guid}")]
+    [EnableRateLimiting("writes")]
     public async Task<IActionResult> Delete(Guid budgetId, Guid incomeId)
     {
         if (TryGetUserId(out var userId) is { } err) return err;
@@ -86,6 +90,7 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
     }
 
     [HttpPut("order")]
+    [EnableRateLimiting("writes")]
     public async Task<IActionResult> Reorder(Guid budgetId, [FromBody] ReorderIncomesRequest req)
     {
         if (TryGetUserId(out var userId) is { } err) return err;