feat(api): add helmet security headers and rate limiting

- Add helmet middleware for secure HTTP response headers
- Add express-rate-limit with three limiters:
  - authLimiter: per-IP, 20 req/15min on /api/auth/*
  - gameLimiter: per-user, 150 req/15min (not yet wired)
  - lobbyLimiter: per-user, 20 req/15min (not yet wired)
- Set trust proxy for correct client IP behind Caddy
- Add tests for all three limiters and helmet headers

apps/api/src/app.test.ts

@@ -0,0 +1,39 @@
+import request from "supertest";
+import { describe, it, expect } from "vitest";
+import { createApp } from "./app.js";
+
+const app = createApp();
+
+describe("security headers (helmet)", () => {
+  it("sets X-Content-Type-Options to nosniff", async () => {
+    const res = await request(app).get("/api/v1/health");
+    expect(res.headers["x-content-type-options"]).toBe("nosniff");
+  });
+
+  it("sets X-Frame-Options to SAMEORIGIN", async () => {
+    const res = await request(app).get("/api/v1/health");
+    expect(res.headers["x-frame-options"]).toBe("SAMEORIGIN");
+  });
+
+  it("removes X-Powered-By header", async () => {
+    const res = await request(app).get("/api/v1/health");
+    expect(res.headers).not.toHaveProperty("x-powered-by");
+  });
+
+  it("sets Content-Security-Policy", async () => {
+    const res = await request(app).get("/api/v1/health");
+    expect(res.headers).toHaveProperty("content-security-policy");
+  });
+});
+
+describe("auth rate limiting", () => {
+  it("returns 429 after exceeding the auth limit", async () => {
+    const testApp = createApp();
+    const limit = 20;
+    for (let i = 0; i < limit; i++) {
+      await request(testApp).post("/api/auth/sign-in");
+    }
+    const res = await request(testApp).post("/api/auth/sign-in");
+    expect(res.status).toBe(429);
+  });
+});