monad-wireauth: add soft/hard handshake rate limits (cookie-gated at soft, drop at hard)

right now the "cookie/ip validation" path only kicks in once total_sessions >= low_watermark_sessions. an attacker can try to keep total_sessions just below that threshold while still generating enough handshake traffic to consume the global handshake budget, causing honest peers' new connections to get dropped without ever triggering cookie-gated, per-ip controls.