Add rate limiting and in-memory caching for forward auth endpoint

Rate limit failed attempts (50/min per IP) with 429 + Retry-After.
Cache forward auth applications in a dedicated MemoryStore (8MB LRU)
to avoid loading all apps from SQLite on every request. Debounce
last_activity_at writes to at most once per minute per session.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/models/application.rb

@@ -22,6 +22,8 @@ class Application < ApplicationRecord
     super(parsed)
   end
 
+  after_commit :bust_forward_auth_cache, if: :forward_auth?
+
   has_one_attached :icon
 
   # Fix SVG content type after attachment
@@ -268,6 +270,10 @@ class Application < ApplicationRecord
 
   private
 
+  def bust_forward_auth_cache
+    Rails.application.config.forward_auth_cache&.delete("fa_apps")
+  end
+
   def fix_icon_content_type
     return unless icon.attached?