docs: add async file I/O and auth rate limiting patterns to DEVELOPMENT.md

[moltboie]

Changes

Adds two new patterns to DEVELOPMENT.md:

File I/O in Async Context

Documents the anti-pattern of wrapping writeFileSync in Promise constructors (gives false impression of async behavior while still blocking the event loop). Recommends fs.promises APIs and mkdir({ recursive: true }) over check-then-create.

IMAP/SMTP Authentication Rate Limiting

Documents the need for rate limiting across all auth protocols (HTTP, IMAP, SMTP) with shared counters to prevent protocol-switching brute force attacks.

Context

• Related issues: security: IMAP/SMTP LOGIN has no authentication rate limiting #282 (IMAP/SMTP auth rate limiting), chore: saveBuffer wraps synchronous fs.writeFileSync in unnecessary Promise constructor #283 (saveBuffer sync-in-promise)

E2E Testing

Documentation-only change. Verified markdown renders correctly and no code changes.

[moltboie]

Self-Review

Discussion thread status:

• New PR. No prior feedback. Adds two patterns to DEVELOPMENT.md: async file I/O and auth rate limiting.

Checked:

• Async file I/O pattern: Correctly documents the anti-pattern of writeFileSync-in-Promise. Recommended pattern (fs.promises.writeFile, mkdirSync({ recursive: true })) matches inbox/chore: convert saveBuffer to use async fs.promises.writeFile #285. Accurate.
• Auth rate limiting pattern: Documents the isAuthRateLimited / recordAuthFailure / resetAuthFailures API. Consistent with inbox/security: add auth rate limiting to IMAP and SMTP login #286 implementation. Accurate.
• No code changes: Documentation only.

Issues found:

• None.

Confidence: High