feat(api): rate-limit /auth/login + scaffold threat model

Adds slowapi two-bucket rate limit on /auth/login — 10 attempts per
5 minutes per-IP AND per-username, tripping either → 429. Per-IP
catches botnets hitting one account; per-username catches distributed
credential stuffing against one account. In-memory storage: dashboard
API is single-process, Redis is disproportionate for v1.

X-Forwarded-For is deliberately NOT trusted (spoofable); reverse-proxy
deployments get one shared bucket per proxy IP. Logged in the threat
model as accepted risk DA-08, to be revisited when a verified-proxy
config lands.

Also scaffolds development/THREAT_MODEL.md with STRIDE-per-element
methodology, system-context DFD, and Dashboard↔API as the first fully
worked component (7 sub-flows, ~50 threat entries). F1 Authn ships
with 3 threats mitigated: rate limit (new), uniform 401 (verified
already in place), bcrypt length clamp (verified already in place via
Pydantic max_length=72).

decnet/web/router/auth/api_login.py

@@ -1,7 +1,7 @@
 from datetime import timedelta
 from typing import Any, Optional
 
-from fastapi import APIRouter, HTTPException, status
+from fastapi import APIRouter, HTTPException, Request, status
 
 from decnet.telemetry import traced as _traced
 from decnet.web.auth import (
@@ -11,10 +11,22 @@ from decnet.web.auth import (
 )
 from decnet.web.dependencies import get_user_by_username_cached
 from decnet.web.db.models import LoginRequest, Token
+from decnet.web.limiter import limiter, login_ip_key, login_username_key
 
 router = APIRouter()
 
 
+# Two independent buckets, tripping either → 429:
+#
+#   - per-IP   (login_ip_key):       catches a botnet hitting one account.
+#   - per-user (login_username_key): catches distributed credential
+#                                    stuffing against one account.
+#
+# Limits: 10 attempts per 5 minutes per bucket. Buckets are process-local
+# (memory://); see decnet/web/limiter.py for the rationale. Buckets do
+# NOT reset on successful login — a legitimate user tripping the limit
+# via fat-fingering will need to wait the window out. 10 tries is
+# generous; a rolling window naturally drains.
 @router.post(
     "/auth/login",
     response_model=Token,
@@ -22,13 +34,16 @@ router = APIRouter()
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Incorrect username or password"},
-        422: {"description": "Validation error"}
+        422: {"description": "Validation error"},
+        429: {"description": "Too many login attempts — retry after the window resets"},
     },
 )
+@limiter.limit("10/5 minutes", key_func=login_ip_key)
+@limiter.limit("10/5 minutes", key_func=login_username_key)
 @_traced("api.login")
-async def login(request: LoginRequest) -> dict[str, Any]:
-    _user: Optional[dict[str, Any]] = await get_user_by_username_cached(request.username)
-    if not _user or not await averify_password(request.password, _user["password_hash"]):
+async def login(request: Request, payload: LoginRequest) -> dict[str, Any]:
+    _user: Optional[dict[str, Any]] = await get_user_by_username_cached(payload.username)
+    if not _user or not await averify_password(payload.password, _user["password_hash"]):
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Incorrect username or password",