feat(server): add Redis-based rate limiting middleware

Store Redis client in AppState instead of discarding it. Create
rate_limit middleware using Redis INCR + EXPIRE for fixed-window
counting. Apply user-based rate limiting (100 req/min) to all
protected routes. Graceful degradation when Redis is unavailable.

crates/erp-server/src/state.rs

@@ -13,6 +13,7 @@ pub struct AppState {
     pub config: AppConfig,
     pub event_bus: EventBus,
     pub module_registry: ModuleRegistry,
+    pub redis: redis::Client,
 }
 
 /// Allow handlers to extract `DatabaseConnection` directly from `State<AppState>`.