Harden auth login against brute-force and refresh security docs

doc/api-contract.md

@@ -16,6 +16,7 @@ Primary implementation modules:
 - Authentication is session-based bearer auth.
 - Clients authenticate with `POST /auth/login` using username and password.
 - Backend issues per-user bearer session tokens and stores hashed session state server-side.
+- Login brute-force protection enforces Redis-backed throttle checks keyed by username and source IP.
 - Clients send issued tokens as `Authorization: Bearer <token>`.
 - `GET /auth/me` returns current identity and role.
 - `POST /auth/logout` revokes current session token.
@@ -35,6 +36,10 @@ Ownership rules:
 - `POST /auth/login`
   - Body model: `AuthLoginRequest`
   - Response model: `AuthLoginResponse`
+  - Additional responses:
+    - `401` for invalid credentials
+    - `429` for throttled login attempts, with stable message and `Retry-After` header
+    - `503` when the login rate-limiter backend is unavailable
 - `GET /auth/me`
   - Response model: `AuthSessionResponse`
 - `POST /auth/logout`