fix(auth): stop refresh 429 bouncing users to login; restore badge text color

[bihius]

Summary

Follow-up to #247, which fixed the refresh cookie path but did not fully fix session survival on reload.

Session refresh (the real cause)

POST /auth/refresh shared login's strict brute-force limit (AUTH_RATE_LIMIT = 5/minute). But refresh carries no user credentials — only a signed HttpOnly cookie — and the frontend calls it automatically on every page load (twice under React StrictMode in dev). A few reloads exhausted the limit, returning 429, which restoreSession() treats as "no session" → user bounced to the login screen.

• Add a dedicated REFRESH_RATE_LIMIT = 60/minute in rate_limit.py.
• /auth/refresh now uses it instead of AUTH_RATE_LIMIT.
• Replace the test that encoded the buggy 5/minute refresh limit with: one proving 10 rapid reloads are not throttled, and one confirming refresh is still bounded at the higher ceiling.

Note: the "canceled" requests seen in DevTools are React StrictMode's double-mount in the dev server (?v= HMR URLs, ...InDEV frames) and do not occur in a production build — no change made there.

Badge text color

Revert all six badge.tsx variants from text-foreground (white) back to their per-variant colors, so success/default badges render green again.

Validation

• pnpm run type-check, pnpm run lint, pnpm test (79 passed)
• uv run pytest --cov=app (396 passed), uv run mypy app/ (clean), uv run ruff check (clean on changed files)

Fixes #245