refactor(rate-limit): delegate auth limiting to handlers, add dev bypass

Main's middleware-level auth limiter (5 req / 5 min, IP-only) duplicated
the handler-level limiter introduced earlier on this branch (5/hr IP +
3/hr per-email, blocks email enumeration across IPs). Drop the
middleware version and let the handlers own it.

Added ALLOW_DEV_TEST_ENDPOINTS bypass to the rateLimit utility so
parallel E2E runs from 127.0.0.1 don't exhaust per-IP/email budgets,
mirroring the existing middleware bypass.

Trimmed the obsolete middleware auth test; handler-level coverage lives
in tests/server/api/auth-{login,verify}.test.js. Switched IP-isolation
test to the payment path so it still exercises the limiter.

server/middleware/03.rate-limit.js

@@ -1,12 +1,5 @@
 import { RateLimiterMemory } from 'rate-limiter-flexible'
 
-// Strict rate limit for auth endpoints
-const authLimiter = new RateLimiterMemory({
-  points: 5,     // 5 requests
-  duration: 300, // per 5 minutes
-  keyPrefix: 'rl_auth'
-})
-
 // Moderate rate limit for payment endpoints
 const paymentLimiter = new RateLimiterMemory({
   points: 10,
@@ -35,7 +28,6 @@ function getClientIp(event) {
     || 'unknown'
 }
 
-const AUTH_PATHS = new Set(['/api/auth/login', '/api/auth/verify'])
 const PAYMENT_PREFIXES = ['/api/helcim/']
 const UPLOAD_PATHS = new Set(['/api/upload/image'])
 
@@ -51,9 +43,7 @@ export default defineEventHandler(async (event) => {
   const ip = getClientIp(event)
 
   try {
-    if (AUTH_PATHS.has(path)) {
-      await authLimiter.consume(ip)
-    } else if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
+    if (PAYMENT_PREFIXES.some(p => path.startsWith(p))) {
       await paymentLimiter.consume(ip)
     } else if (UPLOAD_PATHS.has(path)) {
       await uploadLimiter.consume(ip)