feat(rate-limiter): pluggable algorithms with Rust-backed execution engine, benchmarks, and validation (#3809)

* feat(rate-limiter): pluggable algorithms, tenant isolation fix, and scale load test

- Add pluggable algorithm strategy: fixed_window, sliding_window, token_bucket
- Add Redis backend for shared cross-instance rate limiting
- Fix tenant isolation: skip by_tenant when tenant_id is None
- Fix sliding window: sweep expired timestamps before counting
- Fix backend validation: restore _validate_config check
- Fix token bucket memory path: apply max(1,...) guard to reset timestamp
- Add Redis integration tests for all three algorithms
- Add direct regression tests for get_current_user tenant_id fallback
- Add scale load test with Redis memory timeline and live algorithm detection
- Add RL_PACE_MULTIPLIER for near-limit pace testing and boundary burst detection
- Remove redundant algorithm locustfile; scale file is canonical
- Correct stale comments and README limitations

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* feat(rate-limiter): add Rust-backed engine, check() API, benchmarks, and validation

- Rust-backed sliding window engine with pyo3-log integration
- check() API with tenant propagation, sweep/retry-after support
- Eliminate redundant ZRANGE in sliding window Lua script
- Fix detect-secrets baseline for rate limiter load tests
- Clarify memory backend is single-instance only in docs

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* chore: regenerate detect-secrets baseline after rebase

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* refactor(rate-limiter): review fixes, Redis hardening, key-format parity tests

- Extract _dispatch_hook() shared by prompt_pre_fetch and tool_pre_invoke,
  reducing each hook to a single-line wrapper
- Elevate Redis val_i64/val_f64 parse-error logging from warn to error so
  silent fail-open degradation surfaces in operator dashboards
- Clamp sliding-window reset_timestamp with .max(1) so it is always strictly
  in the future even when the oldest entry expires in < 1 s
- Add 5 s tokio::time::timeout around Redis connection establishment to
  prevent indefinite blocking on network partition
- Replace silent except-pass in EVALSHA SHA tracking with logger.debug
- Document dual Lua-script invariant (rolling-upgrade key-format parity)
  in both Python RedisBackend docstring and Rust redis_backend.rs header
- Add 7 parametrized test_redis_key_format_parity_* tests validating that
  Python and Rust produce identical Redis keys for the same inputs
- Revert unrelated .pyi stub changes for encoded_exfil_detection, pii_filter,
  retry_with_backoff, and secrets_detection

Signed-off-by: Jonathan Springer <jps@s390x.com>

* fix: strip trailing whitespace in pyi stubs, remove accidental .claude/ralph-loop.local.md

- Remove plugins_rust/rate_limiter/.claude/ralph-loop.local.md which
  was accidentally committed — this is a local Claude Code loop state
  file and should never have been checked in.
- Fix trailing whitespace in plugins_rust/rate_limiter/python/
  rate_limiter_rust/__init__.pyi docstrings to pass pre-commit hooks.

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* chore: regenerate detect-secrets baseline for new exfil test strings

Update .secrets.baseline after adding test_extra_sensitive_keywords
in plugins_rust/encoded_exfil_detection/src/lib.rs:969 which contains
a fake credential string that triggers the Secret Keyword detector.
All new entries are false positives (test data).

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

* chore: audit new detect-secrets baseline entries as false positives

The baseline regeneration reset is_secret to null for entries whose
line numbers shifted. Mark all 17 unaudited entries as is_secret=false
(test data, example configs, fake credentials) to pass the
--fail-on-unaudited pre-commit check.

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>

---------

Signed-off-by: Pratik Gandhi <gandhipratik203@gmail.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>

Author: gandhipratik203