security: add stricter rate limit on login endpoint (20/min)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/routes/admin/auth.ts

@@ -24,7 +24,14 @@ function setRefreshCookie(reply: import('fastify').FastifyReply, token: string,
 
 export default async function authRoutes(fastify: FastifyInstance): Promise<void> {
   // POST /api/admin/login
-  fastify.post<{ Body: LoginRequest }>('/login', async (request, reply) => {
+  fastify.post<{ Body: LoginRequest }>('/login', {
+    config: {
+      rateLimit: {
+        max: 20,
+        timeWindow: '1 minute',
+      },
+    },
+  }, async (request, reply) => {
     const { username, password, remember_me } = request.body;
 
     if (!username || !password) {