feat(security): extend rate limits on sync, tests, evidence and reports [FASE-3.4]

backend/tests/conftest.py

@@ -121,10 +121,8 @@ def client(db, monkeypatch):
     app.dependency_overrides[get_db] = override_get_db
     Base.metadata.create_all(bind=engine)
 
-    if hasattr(app.state, "limiter"):
-        app.state.limiter.enabled = False
-    from app.routers.auth import limiter as auth_limiter
-    auth_limiter.enabled = False
+    from app.limiter import limiter
+    limiter.enabled = False
 
     from fastapi.testclient import TestClient
     with TestClient(app) as test_client:

backend/tests/test_rate_limits.py

@@ -0,0 +1,25 @@
+"""Smoke tests for extended rate-limit decorators (SEC-003)."""
+
+import inspect
+
+from app.routers import evidence, professional_reports, system, tests
+
+
+def test_sync_mitre_has_hourly_limit():
+    source = inspect.getsource(system.trigger_mitre_sync)
+    assert "2/hour" in source
+
+
+def test_create_test_has_per_minute_limit():
+    source = inspect.getsource(tests.create_test)
+    assert "30/minute" in source
+
+
+def test_upload_evidence_has_per_minute_limit():
+    source = inspect.getsource(evidence.upload_evidence)
+    assert "10/minute" in source
+
+
+def test_report_endpoints_have_per_minute_limit():
+    source = inspect.getsource(professional_reports.generate_coverage_report)
+    assert "5/minute" in source