Add rate limiting per IP for API endpoints

[Emperor42]

Prevent abuse (e.g., a bot repeatedly adding/removing sources). Use a lightweight token bucket (e.g., golang.org/x/time/rate) keyed by client IP. Return 429 Too Many Requests when the limit is exceeded.