security: add per-client pending sample limit in PulseAudio protocol

There was no limit on concurrent PLAY_SAMPLE operations per client.
Each creates a PipeWire stream, allowing a client to exhaust server
resources. Add a MAX_PENDING_SAMPLES (64) limit per client.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/modules/module-protocol-pulse/client.h

@@ -83,6 +83,7 @@ struct client {
 	uint32_t n_operations;
 
 	struct spa_list pending_samples;
+	uint32_t n_pending_samples;
 
 	unsigned int disconnect:1;
 	unsigned int new_msg_since_last_flush:1;