fix(room): wire doorbell, rights bypass, password alerts, and brute-force cooldown

[Copilot]

Room entry had several broken paths: rights holders were forced to ring the doorbell, only the owner received doorbell notifications, wrong passwords produced no visible message, and the entry flow had no brute-force protection. handleLetUserIn also had no authorization guard and skipped leaveCurrentRoom/visit-recording.

Access control

• CheckAccess — rights holders now bypass AccessLocked directly (no doorbell).
• room.enter.bypass permission — skips both password check and doorbell entirely (staff override).

Doorbell

• triggerDoorbell — notifies every entity in the room that is the owner or holds rights, not just the owner. Cleans up the pending entry immediately when no recipient is found instead of parking the visitor indefinitely.
• handleLetUserIn — added owner/rights authorization guard (unauthorized packets are dropped with a Warn log). Calls leaveCurrentRoom on the visitor before assigning the new room. Wires visit recording, which was missing from the doorbell approval path.
• Dispose — cleans up pendingDoorbell entries and password tracking maps for the disconnecting connection, preventing stale state and memory leaks.

Password protection

• Wrong password now sends GenericAlertPacket{"Incorrect room password!"} in addition to CantConnectComposer{ErrorCode:6} so the client shows a visible dialog.
• After 3 consecutive wrong attempts the connection enters a 30 s cooldown; each blocked attempt returns the remaining wait time:

_ = rt.sendPacket(connID, notificationpacket.GenericAlertPacket{
    Message: fmt.Sprintf("Too many incorrect attempts. Please wait %s.", remaining),
})
return rt.sendPacket(connID, packet.CantConnectComposer{ErrorCode: 6})

Counters and cooldown are reset on successful entry or connection dispose.

Original prompt

Ok check out AGENTS.md, docs, and everything you see possible of pixel-server. Check the vendor/ implementations and check the wiring.

this is the packet trace.

Doorbell is not working, users with specific permission aren't overriding the doorbell nor the password, password wrong not showing the message, after three attempts we should have some kind of cooldown to prevent exploiting, and send an alert with the cooldown, etc... Fix all of that wire

The user has attached the following file paths as relevant context:

• AGENTS.md
• AGENTS.md

Created from VS Code.