refactor(rate-limit): delegate auth limiting to handlers, add dev bypass

Main's middleware-level auth limiter (5 req / 5 min, IP-only) duplicated
the handler-level limiter introduced earlier on this branch (5/hr IP +
3/hr per-email, blocks email enumeration across IPs). Drop the
middleware version and let the handlers own it.

Added ALLOW_DEV_TEST_ENDPOINTS bypass to the rateLimit utility so
parallel E2E runs from 127.0.0.1 don't exhaust per-IP/email budgets,
mirroring the existing middleware bypass.

Trimmed the obsolete middleware auth test; handler-level coverage lives
in tests/server/api/auth-{login,verify}.test.js. Switched IP-isolation
test to the payment path so it still exercises the limiter.

tests/server/middleware/rate-limit.test.js

@@ -18,35 +18,6 @@ describe('rate-limit middleware', () => {
     })
   })
 
-  describe('auth endpoint limiting (5 per 5 min)', () => {
-    it('allows 5 requests then blocks the 6th', async () => {
-      const ip = '10.0.1.1'
-
-      // First 5 should succeed
-      for (let i = 0; i < 5; i++) {
-        const event = createMockEvent({
-          method: 'POST',
-          path: '/api/auth/login',
-          remoteAddress: ip
-        })
-        await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()
-      }
-
-      // 6th should be rate limited
-      const event = createMockEvent({
-        method: 'POST',
-        path: '/api/auth/login',
-        remoteAddress: ip
-      })
-      await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
-        statusCode: 429
-      })
-
-      // Check Retry-After header was set
-      expect(event._testSetHeaders['retry-after']).toBeDefined()
-    })
-  })
-
   describe('payment endpoint limiting (10 per min)', () => {
     it('allows 10 requests then blocks the 11th', async () => {
       const ip = '10.0.2.1'
@@ -68,16 +39,19 @@ describe('rate-limit middleware', () => {
       await expect(rateLimitMiddleware(event)).rejects.toMatchObject({
         statusCode: 429
       })
+
+      // Check Retry-After header was set
+      expect(event._testSetHeaders['retry-after']).toBeDefined()
     })
   })
 
   describe('IP isolation', () => {
     it('different IPs have separate rate limit counters', async () => {
-      // Exhaust limit for IP A
-      for (let i = 0; i < 5; i++) {
+      // Exhaust payment limit for IP A
+      for (let i = 0; i < 10; i++) {
         const event = createMockEvent({
           method: 'POST',
-          path: '/api/auth/login',
+          path: '/api/helcim/initialize-payment',
           remoteAddress: '10.0.3.1'
         })
         await rateLimitMiddleware(event)
@@ -86,7 +60,7 @@ describe('rate-limit middleware', () => {
       // IP B should still be able to make requests
       const event = createMockEvent({
         method: 'POST',
-        path: '/api/auth/login',
+        path: '/api/helcim/initialize-payment',
         remoteAddress: '10.0.3.2'
       })
       await expect(rateLimitMiddleware(event)).resolves.toBeUndefined()