fix: cap Retry-After sleep to RetryWaitMax in DefaultBackoff

[nghiack7]

Problem

When a server responds with a Retry-After header (e.g. Retry-After: 3600), DefaultBackoff unconditionally sleeps for that duration — completely ignoring the client's configured RetryWaitMax. This means a misbehaving or malicious server can force a client to sleep for an arbitrarily long time, bypassing the user's intent.

Fixes #247.

Root cause

// before — no cap applied
if sleep, ok := parseRetryAfterHeader(resp.Header["Retry-After"]); ok {
    return sleep   // could be hours
}

Fix

Cap the Retry-After sleep at max (which is RetryWaitMax):

if sleep, ok := parseRetryAfterHeader(resp.Header["Retry-After"]); ok {
    if sleep > max {
        return max
    }
    return sleep
}

This is consistent with how the exponential backoff path already respects RetryWaitMax.

Tests

Added TestClient_DefaultBackoff_RetryAfterExceedsMax covering:

• HTTP 429 with Retry-After: 3600 → capped to RetryWaitMax (10s)
• HTTP 503 with Retry-After: 3600 → capped to RetryWaitMax (10s)

All existing tests pass.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

Nghĩa Nguyễn Ngọc seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[nghiack7]

@hashicorp-cla-app recheck