add rate limiting and HSTS for security hardening

- Add Hammer library for rate limiting with ETS backend
- Rate limit login (5/min), magic link (3/min), newsletter (10/min), API (60/min)
- Add themed 429 error page using bare shop styling
- Enable HSTS in production with rewrite_on for Fly proxy
- Add security hardening plan to docs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

lib/berrypod_web/controllers/newsletter_controller.ex

@@ -3,6 +3,8 @@ defmodule BerrypodWeb.NewsletterController do
 
   alias Berrypod.Newsletter
 
+  plug BerrypodWeb.Plugs.RateLimit, [type: :newsletter] when action == :subscribe
+
   @doc "No-JS fallback for newsletter signup form."
   def subscribe(conn, %{"email" => email}) do
     ip_hash = hash_ip(conn)