fix: prevent setup screen showing on rate limit and exclude status checks from auth rate limiting

- Login component now handles 429 rate limit responses correctly
- When rate limited, assume auth is configured and show login form
- /api/security/status endpoint excluded from strict auth rate limiting
- Status checks now use general API rate limit (500/min) instead of auth limit (10/min)
- Fixes issue where rapid logout/login could trigger rate limiting
- Fixes setup screen appearing incorrectly when rate limited

frontend-modern/src/components/Login.tsx

@@ -34,6 +34,10 @@ export const Login: Component<LoginProps> = (props) => {
         const data = await response.json();
         console.log('[Login] Auth status data:', data);
         setAuthStatus(data);
+      } else if (response.status === 429) {
+        // Rate limited - wait a bit and assume auth is configured
+        console.log('[Login] Rate limited, assuming auth is configured');
+        setAuthStatus({ hasAuthentication: true });
       } else {
         console.log('[Login] Auth check failed, assuming no auth');
         // On error, assume no auth configured

internal/api/router.go

@@ -763,8 +763,8 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 				}
 			}
 			
-			// Apply stricter rate limiting for auth endpoints
-			if strings.Contains(req.URL.Path, "/api/security/") || req.URL.Path == "/api/login" {
+			// Apply stricter rate limiting for auth endpoints (but not status checks)
+			if (strings.Contains(req.URL.Path, "/api/security/") && req.URL.Path != "/api/security/status") || req.URL.Path == "/api/login" {
 				clientIP := GetClientIP(req)
 				// Use auth limiter for security endpoints (10 per minute)
 				if !authLimiter.Allow(clientIP) {