Wire rate limit middleware into proxy runner chain

[jerm-dro]

Summary

Rate limiting CRD types and the token-bucket Limiter package were
merged in #4577. This PR wires the limiter into the proxy runner
middleware chain so rate limiting is enforced at runtime.

• Adds HTTP middleware that reads the parsed MCP request from context,
  rate-limits only tools/call requests, returns HTTP 429 with
  JSON-RPC error code -32029 and Retry-After header on rejection,
  and fails open on Redis errors
• Registers the middleware factory and positions it after auth and MCP
  parser in the middleware chain
• Maps spec.rateLimiting from the CRD to the RunConfig in the
  operator reconciler, carrying the CRD type directly
• Adds Ginkgo E2E acceptance tests that deploy Redis + MCPServer in a
  Kind cluster and verify rate limit enforcement

Closes #4551

Type of change

• New feature

Test plan

• Unit tests (task test)
• E2E tests (task test-e2e)
• Linting (task lint-fix)

Unit tests (12 new):

• Middleware handler: allowed, rejected (429 + -32029), fail-open,
  missing MCP context (500), non-tools/call passthrough
• Wiring: addRateLimitMiddleware nil/valid, PopulateMiddlewareConfigs
  presence/absence
• Operator: spec.rateLimiting flows to RunConfig

E2E tests (2 new):

• AC7: Burst of requests exceeds shared limit, 4th request gets HTTP
  429 with JSON-RPC -32029 and retryAfterSeconds
• AC8: MCPServer with both shared and per-tool config is accepted and
  reaches Running phase

Changes

File	Change
pkg/ratelimit/middleware.go	New: factory, handler, JSON-RPC error helpers, MiddlewareParams
pkg/runner/middleware.go	Register factory, add helper, call after MCP parser
pkg/runner/config.go	Add RateLimitConfig and RateLimitNamespace fields
pkg/runner/config_builder.go	Add WithRateLimitConfig builder option
cmd/thv-operator/controllers/mcpserver_runconfig.go	Map spec.rateLimiting to RunConfig
test/e2e/thv-operator/acceptance_tests/	New: Ginkgo E2E suite with Redis deploy and rate limit tests

Special notes for reviewers

• The middleware errors with HTTP 500 if ParsedMCPRequest is missing
  from context — this catches middleware ordering bugs at runtime
• Only tools/call requests are rate-limited; other MCP methods pass
  through unconditionally
• Redis client is created from SessionRedisConfig + the
  THV_SESSION_REDIS_PASSWORD env var, sharing connection info with
  session storage
• E2E tests follow the test/e2e/thv-operator/virtualmcp/ patterns

Large PR Justification

1140 lines across 11 files, but 844 lines are tests (unit + E2E
infrastructure). The 296 lines of production code span 5 files that
form a single logical change: middleware + wiring + operator mapping.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 61.16505% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.84%. Comparing base (9f38bbe) to head (0f476a5).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/ratelimit/middleware.go	54.05%	33 Missing and 1 partial ⚠️
pkg/runner/middleware.go	71.42%	3 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4652      +/-   ##
==========================================
- Coverage   68.88%   68.84%   -0.05%     
==========================================
  Files         506      509       +3     
  Lines       52449    52642     +193     
==========================================
+ Hits        36130    36240     +110     
- Misses      13525    13607      +82     
- Partials     2794     2795       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.