Rate-limit user-facing axon endpoints to block request floods before they hit chain queries

[bittoby]

Rate-limit swap reserve and confirm endpoints

Right now blacklist_swap_reserve and blacklist_swap_confirm are pass-throughs - they always return (False, 'Passed'). Every request goes straight to the forward handler, grabs axon_lock, and fires off chain RPC calls. Nothing stops a single IP from flooding these endpoints and blocking all other traffic.

This adds a simple per-IP rate limiter (10 req/min sliding window) that rejects floods in the blacklist phase, before any expensive work happens.

Changes

• New AxonRateLimiter class in allways/validator/rate_limiter.py - thread-safe sliding window, auto-cleans stale entries
• Updated both blacklist handlers to check the rate limiter instead of passing everything through
• Added rate limit constants to constants.py
• Initialized the limiter on the validator in neurons/validator.py

Notes

• Fails open - if IP is missing or limiter isn't set up, requests pass through as before
• MinerActivate already has hotkey auth in its blacklist, so it doesn't need this
• The dendrite IP comes from a client header so it can be spoofed, but it still raises the bar compared to zero protection