Add SMTP infrastructure + auth rate limiting

Foundation for the upcoming email-based invite and password-reset flows.

- IEmailSender abstraction with SmtpEmailSender (MailKit 4.16) and a
  LoggingEmailSender fallback used automatically when SMTP is unconfigured
  so local dev works without a real SMTP server.
- Fixed-window rate limits keyed by remote IP: 10 / 15 min on /login,
  5 / hour on /register. Returns 429 with Retry-After. Bypassed in the
  Testing environment so the existing integration suite is unaffected.
- New env vars (SMTP_*, APP_BASE_URL) plumbed through docker-compose
  and documented in .env.example.

src/backend/YesChef.Api.IntegrationTests/Features/AuthRateLimitTests.cs

@@ -0,0 +1,93 @@
+using System.Net;
+using System.Net.Http.Json;
+using YesChef.Api.Auth;
+using YesChef.Api.IntegrationTests.Infrastructure;
+
+namespace YesChef.Api.IntegrationTests.Features;
+
+/// <summary>
+/// Verifies the auth-endpoint rate limits actually fire. Uses a
+/// non-"Testing" environment so the limiter is not bypassed; that means a
+/// fresh app/factory is constructed per test rather than reusing the base
+/// class's Testing-env app.
+/// </summary>
+public class AuthRateLimitTests : IntegrationTest
+{
+    [Test]
+    public async Task Login_returns_429_after_exhausting_limit()
+    {
+        await using var liveApp = new YesChefAppFactory
+        {
+            ConnectionString = await CloneDatabaseAsync(),
+            EnvironmentName = "Production",
+        };
+        using var client = liveApp.CreateClient();
+
+        // Limit is 10 per 15-minute window. Eleventh call must be rejected.
+        // Using a non-existent user keeps each request a 401 — wrong-password
+        // path still counts toward the limit.
+        HttpResponseMessage? lastResponse = null;
+        for (var i = 0; i < 11; i++)
+        {
+            lastResponse?.Dispose();
+            lastResponse = await client.PostAsJsonAsync("/api/auth/login",
+                new AuthEndpoints.LoginRequest("ghost", "anything"));
+        }
+
+        await Assert.That(lastResponse!.StatusCode).IsEqualTo(HttpStatusCode.TooManyRequests);
+        await Assert.That(lastResponse.Headers.Contains("Retry-After")).IsTrue();
+        lastResponse.Dispose();
+    }
+
+    [Test]
+    public async Task Register_returns_429_after_exhausting_limit()
+    {
+        await using var liveApp = new YesChefAppFactory
+        {
+            ConnectionString = await CloneDatabaseAsync(),
+            EnvironmentName = "Production",
+        };
+        using var client = liveApp.CreateClient();
+
+        // Limit is 5 per hour. Sixth call must be rejected. Use unique names so
+        // we don't trip the duplicate-name check before the limiter does.
+        HttpResponseMessage? lastResponse = null;
+        for (var i = 0; i < 6; i++)
+        {
+            lastResponse?.Dispose();
+            lastResponse = await client.PostAsJsonAsync("/api/auth/register",
+                new AuthEndpoints.RegisterRequest($"rate-{i}", "pw-1234", YesChefAppFactory.FamilyCode));
+        }
+
+        await Assert.That(lastResponse!.StatusCode).IsEqualTo(HttpStatusCode.TooManyRequests);
+        lastResponse.Dispose();
+    }
+
+    [Test]
+    public async Task Testing_env_bypasses_limit()
+    {
+        // The base class's app uses the Testing env; firing well past the
+        // production limit must keep returning 401 (not 429). Sanity check
+        // that the existing AuthEndpointsTests aren't going to start flaking.
+        for (var i = 0; i < 15; i++)
+        {
+            using var response = await AnonymousClient.PostAsJsonAsync("/api/auth/login",
+                new AuthEndpoints.LoginRequest("ghost", "anything"));
+            await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+        }
+    }
+
+    /// <summary>
+    /// The IntegrationTest base allocates one DB per test. We need a second
+    /// independent connection string for the live-env factory; clone again
+    /// from the same Postgres fixture.
+    /// </summary>
+    private async Task<string> CloneDatabaseAsync()
+    {
+        var db = await Postgres.CreateDatabaseAsync();
+        // Leak the TestDatabase wrapper — the connection string lives as long
+        // as the Postgres fixture (per-session). Acceptable for a tiny number
+        // of rate-limit tests.
+        return db.ConnectionString;
+    }
+}