Current API has no backend-level request throttling, making it vulnerable to abuse and accidental overload.

Implementation:
Add Express rate limiting middleware with Redis store (shared across instances)
Set separate policies for read-heavy endpoints vs mutating endpoints
Add IP + wallet-address based throttling for critical routes
Return standard 429 response with retry metadata

Acceptance Criteria:
Abusive request bursts are throttled consistently across instances
Critical write endpoints are protected from spam/replay bursts
Rate-limit behavior is observable via logs/metrics