Add rate limiting: global (120/min) and writes (30/min) policies

Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Budget.Api/Controllers/SummaryController.cs

@@ -4,6 +4,7 @@ using Budget.Api.Models;
 using Budget.Api.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 
 namespace Budget.Api.Controllers;
@@ -75,6 +76,7 @@ public class SummaryController(AppDbContext db, BudgetAuthorizationService authz
     }
 
     [HttpPut("tax-rate")]
+    [EnableRateLimiting("writes")]
     public async Task<IActionResult> UpdateTaxRate(Guid budgetId, [FromBody] UpdateTaxRateRequest req)
     {
         if (TryGetUserId(out var userId) is { } err) return err;