Add connection rate limiting

[baelter]

Summary

• Add token bucket rate limiter that rejects new connections at the TCP level before the AMQP/MQTT handshake
• Two config options: connection_rate_limit (global max new connections/sec) and connection_rate_limit_per_ip (per source IP), both default to 0 (unlimited)
• Rate limiting runs synchronously in the accept loop before spawning a fiber, so rejected connections never allocate a fiber or enter the handshake
• Rate-limited log messages (max 1/sec) to avoid log spam when rejecting

Motivation

When LavinMQ is CPU-saturated, handshake timeouts cause clients to disconnect and immediately reconnect, creating a death spiral. Each reconnection goes through the full AMQP handshake (confirm_header, start, authenticate, tune, open), consuming CPU that should serve existing connections. Rejecting at the TCP level is orders of magnitude cheaper.

Test plan

• make test SPEC=spec/connection_rate_limit_spec.cr (11 specs)
• Manual test: set connection_rate_limit = 10, connect many clients, verify excess connections are rejected immediately
• Verify existing connection tests still pass

[claude]

Code Review

No issues found. The implementation is solid:

• Token bucket algorithm is correctly implemented with proper mutex synchronization for thread safety.
• Rate limit checks happen synchronously in the accept loop (before spawning fibers), which correctly prevents fiber explosion under connection floods.
• Per-IP and global limits compose correctly via short-circuit evaluation (per-IP checked first to avoid wasting global tokens).
• Bounded memory usage via MAX_TRACKED_IPS cap with O(1) eviction, plus periodic cleanup_stale_entries from the stats loop.
• PerIPState is a record (struct), avoiding heap allocations on state updates.
• Moving remote_address/remote_addr outside the spawn blocks is safe — closure capture works correctly and the values are used properly in both the rate check and the spawned fiber.