[Feature] Migrate API rate limiting to penguin-limiter shared library

[PenguinzTech]

User Story

As a platform engineer, I want rate limiting handled by a shared `penguin-limiter` library so that REST, gRPC, and H3 endpoints share consistent limiting logic across all Penguin Tech services.

Background

Elder currently has ad-hoc rate limiting in two places:

• `apps/api/main.py` — Flask 429 error handler (Flask-Limiter pattern)
• `apps/api/services/sbom/vulnerability/nvd_client.py` — NVD API rate limiting
• `apps/api/config.py` — rate limit configuration

A new shared library `penguin-limiter` should be created in `penguin-libs` and Elder should be migrated to use it.

Acceptance Criteria

• `penguin-limiter` Python package created in `~/code/penguin-libs/packages/penguin-limiter/` and published to PyPI
• Supports REST (Flask/Quart), gRPC, and H3 endpoint limiting
• Configurable backends: in-memory (default), Redis/Valkey
• Per-endpoint, per-user, per-IP, and global limit strategies
• Standardized 429 response format: `{"error": "rate_limit_exceeded", "retry_after": N}`
• Elder `apps/api/main.py` migrated to use `penguin-limiter`
• Elder `apps/api/services/sbom/vulnerability/nvd_client.py` migrated to use `penguin-limiter`
• Elder `apps/api/config.py` rate limit config migrated to `penguin-limiter` config format
• Unit tests ≥ 90% coverage in `penguin-limiter`
• Integration tests for Elder rate-limited endpoints
• All linting passes (`flake8`, `black`, `isort`, `mypy --strict`, `bandit`)
• Security scan passes (`bandit -r .`, `safety check`)
• `penguin-limiter` documented in penguin-libs README

Notes

• `penguin-limiter` does NOT exist yet — must be created from scratch in `penguin-libs`
• Use Redis/Valkey backend for distributed limiting in K8s deployments; in-memory for local/alpha
• The library should follow the same structure as existing penguin-libs Python packages (`penguin-dal`, `penguin-utils`, etc.)
• Go support (for gRPC/H3 services) may be deferred to a follow-up issue if scope becomes too large