Add configurable global concurrent request limiting

- Add max_concurrent_requests config option (default: 1000)
- Implement global AtomicUsize counter for concurrent request tracking
- Return status 41 'Server unavailable' when limit exceeded
- Proper counter management with decrements on all exit paths
- Add comprehensive config validation (1-1,000,000 range)
- Update documentation with rate limiting details
- Add unit tests for config parsing
- Thread-safe implementation using Ordering::Relaxed

This provides effective DDoS protection by limiting concurrent
connections to prevent server overload while maintaining
configurability for different deployment scenarios.

AGENTS.md

@@ -92,9 +92,10 @@ nothing else. It is meant to be generic so other people can use it.
 - Default file: "index.gmi" for directory requests
 
 ## Error Handling
+- **Concurrent request limit exceeded**: Return status 41 "Server unavailable"
 - **Timeout**: Return status 41 "Server unavailable" (not 59)
 - **Request too large**: Return status 59 "Bad request"
-- **Empty request**: Return status 59 "Bad request"  
+- **Empty request**: Return status 59 "Bad request"
 - **Invalid URL format**: Return status 59 "Bad request"
 - **Hostname mismatch**: Return status 59 "Bad request"
 - **Path resolution failure**: Return status 51 "Not found" (including security violations)
@@ -102,12 +103,13 @@ nothing else. It is meant to be generic so other people can use it.
 - Reject requests > 1024 bytes (per Gemini spec)
 - Reject requests without proper `\r\n` termination
 - Use `tokio::time::timeout()` for request timeout handling
+- Configurable concurrent request limit: `max_concurrent_requests` (default: 1000)
 
 ## Configuration
 - TOML config files with `serde::Deserialize`
 - CLI args override config file values
 - Required fields: root, cert, key, host
-- Optional: port, log_level
+- Optional: port, log_level, max_concurrent_requests
 
 # Development Notes
 - Generate self-signed certificates for local testing in `tmp/` directory