fix: add guest limits and rate limiting to booking-guests endpoint (#27494)

* fix: add guest limits and rate limiting to booking-guests endpoint

- Add ArrayMaxSize(10) validation to limit guests per request to 10
- Add aggressive rate limiting (5 requests/minute) via @Throttle decorator
- Add total guest limit check (max 30 guests per booking) to prevent abuse
- Update API documentation to reflect new limits

This prevents scammers from using the endpoint to send spam emails
to hundreds of guests through our system.

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* docs: update openapi.json with guest limits and rate limiting info

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>