Add rate limiting via lib-commons ratelimit.New() to all components

[gandalf-at-lerian]

Context

The plugins (plugin-auth, plugin-identity) already have rate limiting via lib-commons v4's ratelimit.New(). No Midaz component currently has rate limiting.

Problem

• Midaz APIs are exposed without any rate limiting
• For a financial infrastructure product, this is a baseline security gap
• Plugins already have this protection; Midaz core does not

Proposed Change

Add ratelimit.New() middleware from lib-commons v4 to all Midaz components:

• ledger
• transaction
• plugin-crm
• onboarding

What ratelimit.New() provides

• Redis-backed rate limiting with configurable tiers: default, aggressive, relaxed
• Fail-open / fail-closed modes (configurable)
• OpenTelemetry integration for observability
• Per-client identification via configurable headers

Acceptance Criteria

• All four components have rate limiting middleware enabled
• Rate limit tier configurable via env var (default: default)
• Fail-open mode as default (rate limiting failure should not block requests)
• Rate limit headers returned in responses (X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After)
• Redis connection reuses existing component Redis config where available