feat(security): add query limits middleware closes #533

[Rocket1960]

Adds queryLimits Express middleware that enforces configurable caps on query string length and filter complexity (OR clause count, AND nesting depth) to protect database resources from expensive or malicious queries.

• src/config/queryLimits.ts – config interface + env-var-driven defaults
• src/middleware/queryLimits.ts – middleware implementation
• src/app.ts / server.ts / routers – wiring for search, referrals, booking
• tests/queryLimits.test.ts – unit tests
• docs/api/query-limits.md – endpoint + configuration reference

A new pull request which addresses the maintainers request
closes issue #533