Fix architecture issues from todolist

- Add documentation warnings for in-memory rate limiting and failed login attempts
- Consolidate duplicate health endpoints into api/health.py
- Fix CLI to use correct async rescan method names
- Update download.py and anime.py to use custom exception classes
- Add WebSocket room validation and rate limiting

src/server/services/auth_service.py

@@ -42,6 +42,17 @@ class AuthService:
       config persistence should be used (not implemented here).
     - Lockout policy is kept in-memory and will reset when the process
       restarts. This is acceptable for single-process deployments.
+    
+    WARNING - SINGLE PROCESS LIMITATION:
+        Failed login attempts are stored in memory dictionaries which RESET
+        when the process restarts. This means:
+        - Attackers can bypass lockouts by triggering a process restart
+        - Lockout state is not shared across multiple workers/processes
+        
+        For production deployments, consider:
+        - Storing failed attempts in database with TTL-based expiration
+        - Using Redis for distributed lockout state
+        - Implementing account-based (not just IP-based) lockout tracking
     """
 
     def __init__(self) -> None: