feat: add IP-based login brute-force protection (#531)

* feat: add IP-based login brute-force protection

- Per-IP rate limiting: 3 failed login attempts locks the IP for 1 hour
- Separate counters for password login and token auth
- Global safety net: 20 req/min, hard lock after 50 total failures
- Persistent lock state to ~/.hermes-web-ui/.login-lock.json (survives restarts)
- Manual unlock: edit or delete the lock file
- Frontend handles 429/503 responses with localized error messages
- i18n support for 8 languages

* feat: add locked IP management endpoint and UI

- GET /api/auth/locked-ips: list all currently locked IPs (protected)
- DELETE /api/auth/locked-ips/:ip: unlock a specific IP (protected)
- DELETE /api/auth/locked-ips: unlock all IPs (protected)
- AccountSettings: shows locked IPs with remaining time, unlock buttons
- i18n support for 8 languages
- Clean up stale .js artifacts, add .gitignore rule

* fix: cross-type IP lock and IPv6-compatible unlock route

- Password and token login now share IP lock state: if an IP is locked
  by either method, ALL auth methods are blocked for that IP
- Changed unlock endpoint from path param to query param (?ip=xxx) to
  support IPv6 addresses containing colons
- Merged unlockIp and unlockAll into a single handler

* chore: increase global login rate limit from 20 to 100 requests per minute

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: ekko <fqsy1416@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

packages/server/src/routes/auth.ts

@@ -12,3 +12,5 @@ authProtectedRoutes.post('/api/auth/setup', ctrl.setupPassword)
 authProtectedRoutes.post('/api/auth/change-password', ctrl.changePassword)
 authProtectedRoutes.post('/api/auth/change-username', ctrl.changeUsername)
 authProtectedRoutes.delete('/api/auth/password', ctrl.removePassword)
+authProtectedRoutes.get('/api/auth/locked-ips', ctrl.listLockedIps)
+authProtectedRoutes.delete('/api/auth/locked-ips', ctrl.unlockIpHandler)