Harden auth flows and add backend quality gate

backend/app/config.py

@@ -9,6 +9,9 @@ class Settings(BaseSettings):
     app_name: str = "Magent"
     cors_allow_origin: str = "http://localhost:3000"
     sqlite_path: str = Field(default="data/magent.db", validation_alias=AliasChoices("SQLITE_PATH"))
+    sqlite_journal_mode: str = Field(
+        default="DELETE", validation_alias=AliasChoices("SQLITE_JOURNAL_MODE")
+    )
     jwt_secret: str = Field(default="change-me", validation_alias=AliasChoices("JWT_SECRET"))
     jwt_exp_minutes: int = Field(default=720, validation_alias=AliasChoices("JWT_EXP_MINUTES"))
     api_docs_enabled: bool = Field(default=False, validation_alias=AliasChoices("API_DOCS_ENABLED"))
@@ -21,6 +24,15 @@ class Settings(BaseSettings):
     auth_rate_limit_max_attempts_user: int = Field(
         default=5, validation_alias=AliasChoices("AUTH_RATE_LIMIT_MAX_ATTEMPTS_USER")
     )
+    password_reset_rate_limit_window_seconds: int = Field(
+        default=300, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_WINDOW_SECONDS")
+    )
+    password_reset_rate_limit_max_attempts_ip: int = Field(
+        default=6, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_MAX_ATTEMPTS_IP")
+    )
+    password_reset_rate_limit_max_attempts_identifier: int = Field(
+        default=3, validation_alias=AliasChoices("PASSWORD_RESET_RATE_LIMIT_MAX_ATTEMPTS_IDENTIFIER")
+    )
     admin_username: str = Field(default="admin", validation_alias=AliasChoices("ADMIN_USERNAME"))
     admin_password: str = Field(default="adminadmin", validation_alias=AliasChoices("ADMIN_PASSWORD"))
     log_level: str = Field(default="INFO", validation_alias=AliasChoices("LOG_LEVEL"))