feat: migrate to Pydantic V2 and implement rate limiting middleware

- Migrate settings.py to Pydantic V2 (SettingsConfigDict, validation_alias)
- Update config models to use @field_validator with @classmethod
- Replace deprecated datetime.utcnow() with datetime.now(timezone.utc)
- Migrate FastAPI app from @app.on_event to lifespan context manager
- Implement comprehensive rate limiting middleware with:
  * Endpoint-specific rate limits (login: 5/min, register: 3/min)
  * IP-based and user-based tracking
  * Authenticated user multiplier (2x limits)
  * Bypass paths for health, docs, static, websocket endpoints
  * Rate limit headers in responses
- Add 13 comprehensive tests for rate limiting (all passing)
- Update instructions.md to mark completed tasks
- Fix asyncio.create_task usage in anime_service.py

All 714 tests passing. No deprecation warnings.

src/server/fastapi_app.py

@@ -5,6 +5,7 @@ This module provides the main FastAPI application with proper CORS
 configuration, middleware setup, static file serving, and Jinja2 template
 integration.
 """
+from contextlib import asynccontextmanager
 from pathlib import Path
 from typing import Optional
 
@@ -36,13 +37,71 @@ from src.server.middleware.error_handler import register_exception_handlers
 from src.server.services.progress_service import get_progress_service
 from src.server.services.websocket_service import get_websocket_service
 
-# Initialize FastAPI app
+# Prefer storing application-wide singletons on FastAPI.state instead of
+# module-level globals. This makes testing and multi-instance hosting safer.
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    """Manage application lifespan (startup and shutdown)."""
+    # Startup
+    try:
+        # Initialize SeriesApp with configured directory and store it on
+        # application state so it can be injected via dependencies.
+        if settings.anime_directory:
+            app.state.series_app = SeriesApp(settings.anime_directory)
+        else:
+            # Log warning when anime directory is not configured
+            print(
+                "WARNING: ANIME_DIRECTORY not configured. "
+                "Some features may be unavailable."
+            )
+        
+        # Initialize progress service with websocket callback
+        progress_service = get_progress_service()
+        ws_service = get_websocket_service()
+        
+        async def broadcast_callback(
+            message_type: str, data: dict, room: str
+        ) -> None:
+            """Broadcast progress updates via WebSocket."""
+            message = {
+                "type": message_type,
+                "data": data,
+            }
+            await ws_service.manager.broadcast_to_room(message, room)
+
+        progress_service.set_broadcast_callback(broadcast_callback)
+
+        print("FastAPI application started successfully")
+    except Exception as e:
+        print(f"Error during startup: {e}")
+        raise  # Re-raise to prevent app from starting in broken state
+    
+    # Yield control to the application
+    yield
+    
+    # Shutdown
+    print("FastAPI application shutting down")
+
+
+def get_series_app() -> Optional[SeriesApp]:
+    """Dependency to retrieve the SeriesApp instance from application state.
+
+    Returns None when the application wasn't configured with an anime
+    directory (for example during certain test runs).
+    """
+    return getattr(app.state, "series_app", None)
+
+
+# Initialize FastAPI app with lifespan
 app = FastAPI(
     title="Aniworld Download Manager",
     description="Modern web interface for Aniworld anime download management",
     version="1.0.0",
     docs_url="/api/docs",
-    redoc_url="/api/redoc"
+    redoc_url="/api/redoc",
+    lifespan=lifespan
 )
 
 # Configure CORS using environment-driven configuration.
@@ -79,61 +138,6 @@ app.include_router(websocket_router)
 # Register exception handlers
 register_exception_handlers(app)
 
-# Prefer storing application-wide singletons on FastAPI.state instead of
-# module-level globals. This makes testing and multi-instance hosting safer.
-
-
-def get_series_app() -> Optional[SeriesApp]:
-    """Dependency to retrieve the SeriesApp instance from application state.
-
-    Returns None when the application wasn't configured with an anime
-    directory (for example during certain test runs).
-    """
-    return getattr(app.state, "series_app", None)
-
-
-@app.on_event("startup")
-async def startup_event() -> None:
-    """Initialize application on startup."""
-    try:
-        # Initialize SeriesApp with configured directory and store it on
-        # application state so it can be injected via dependencies.
-        if settings.anime_directory:
-            app.state.series_app = SeriesApp(settings.anime_directory)
-        else:
-            # Log warning when anime directory is not configured
-            print(
-                "WARNING: ANIME_DIRECTORY not configured. "
-                "Some features may be unavailable."
-            )
-        
-        # Initialize progress service with websocket callback
-        progress_service = get_progress_service()
-        ws_service = get_websocket_service()
-        
-        async def broadcast_callback(
-            message_type: str, data: dict, room: str
-        ) -> None:
-            """Broadcast progress updates via WebSocket."""
-            message = {
-                "type": message_type,
-                "data": data,
-            }
-            await ws_service.manager.broadcast_to_room(message, room)
-
-        progress_service.set_broadcast_callback(broadcast_callback)
-
-        print("FastAPI application started successfully")
-    except Exception as e:
-        print(f"Error during startup: {e}")
-        raise  # Re-raise to prevent app from starting in broken state
-
-
-@app.on_event("shutdown")
-async def shutdown_event():
-    """Cleanup on application shutdown."""
-    print("FastAPI application shutting down")
-
 
 @app.exception_handler(404)
 async def handle_not_found(request: Request, exc: HTTPException):