feat(ratelimiter): add RateLimiterRegistry + evmrpc config fields

[amir-deris]

Summary

• Adds ratelimiter package with Registry: per-IP token-bucket rate limiter backed by an expirable LRU (50k entries, 1h TTL) using golang.org/x/time/rate
• Allow(ctx, ip, plane, method) enforces the limit and increments the rpc_rate_limit_rejected_total{plane, method} OTel counter on rejection
• IPFromHTTPRequest / IPFromGRPCContext extract the real client IP, honouring X-Forwarded-For only when RemoteAddr / peer address is within a configured trusted proxy CIDR
• Adds rate_limiting_enabled, ip_rate_limit_rps, and ip_rate_limit_burst fields to evmrpc/config (defaults: enabled, 200 RPS, 400 burst); trusted_proxy_cidrs will be added when request-path wiring lands; existing nodes without these fields in app.toml fall back to defaults safely
• No request-path wiring in this PR; EVM, CometBFT, and gRPC plane wiring follow in future PRs.

[cursor]

PR Summary

Medium Risk
New RPC protection logic and X-Forwarded-For trust rules affect availability and client identity once wired; defaults enable limiting at 200 RPS with no enforcement in this PR yet.

Overview
Introduces a new ratelimiter package with a per-IP Registry: token-bucket limits via golang.org/x/time/rate, one limiter per IP in an expirable LRU (50k entries, 1h idle TTL). Allow can be turned off when disabled, RPS ≤ 0, or burst ≤ 0; rejections record rpc_rate_limit_rejected_total with a plane label. Client IP helpers for HTTP and gRPC use rightmost untrusted X-Forwarded-For only when the direct peer is in trusted proxy CIDRs (defaults include RFC1918/loopback).

evmrpc/config gains rate_limiting_enabled, ip_rate_limit_rps, and ip_rate_limit_burst (defaults: on, 200 RPS, 400 burst), wired through ReadConfig, ConfigTemplate, and tests. No RPC/HTTP/gRPC middleware wiring in this PR—configuration and library only, for follow-up integration on EVM/CometBFT/gRPC planes.

^{Reviewed by Cursor Bugbot for commit 7c3f6c5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	May 29, 2026, 6:07 PM

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	May 26, 2026, 11:18 PM

[codecov]

Codecov Report

❌ Patch coverage is 95.34884% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.18%. Comparing base (c4e1a2a) to head (7c3f6c5).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
ratelimiter/metrics.go	50.00%	1 Missing and 1 partial ⚠️
ratelimiter/registry.go	97.26%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3507      +/-   ##
==========================================
- Coverage   59.05%   58.18%   -0.88%     
==========================================
  Files        2205     2131      -74     
  Lines      182317   173508    -8809     
==========================================
- Hits       107672   100959    -6713     
+ Misses      64945    63580    -1365     
+ Partials     9700     8969     -731     

Flag	Coverage Δ
sei-chain-pr	81.09% <95.34%> (?)
sei-db	70.41% <ø> (-0.22%)	⬇️
sei-db-state-db	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
evmrpc/config/config.go	72.58% <100.00%> (+2.14%)	⬆️
ratelimiter/metrics.go	50.00% <50.00%> (ø)
ratelimiter/registry.go	97.26% <97.26%> (ø)

... and 112 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cff02e5. Configure here.}