fix(security): persist RateLimitMode in Upsert and harden integration test payload

- The security config Upsert update path copied all rate limit fields
  from the incoming request onto the existing database record except
  RateLimitMode, so the seeded default value of "disabled" always
  survived a POST regardless of what the caller sent
- This silently prevented the Caddy rate_limit handler from being
  injected on any container with a pre-existing config record (i.e.,
  every real deployment and every CI run after migration)
- Added the missing field assignment so RateLimitMode is correctly
  persisted on update alongside all other rate limit settings
- Integration test payload now also sends rate_limit_enable alongside
  rate_limit_mode so the handler sync logic fires via its explicit
  first branch, providing belt-and-suspenders correctness independent
  of which path the caller uses to express intent

backend/internal/services/security_service.go

@@ -150,6 +150,7 @@ func (s *SecurityService) Upsert(cfg *models.SecurityConfig) error {
 	existing.WAFParanoiaLevel = cfg.WAFParanoiaLevel
 	existing.WAFExclusions = cfg.WAFExclusions
 	existing.RateLimitEnable = cfg.RateLimitEnable
+	existing.RateLimitMode = cfg.RateLimitMode
 	existing.RateLimitBurst = cfg.RateLimitBurst
 	existing.RateLimitRequests = cfg.RateLimitRequests
 	existing.RateLimitWindowSec = cfg.RateLimitWindowSec

scripts/rate_limit_integration.sh

@@ -263,6 +263,7 @@ SEC_CFG_PAYLOAD=$(cat <<EOF
     "name": "default",
     "enabled": true,
     "rate_limit_mode": "enabled",
+    "rate_limit_enable": true,
     "rate_limit_requests": ${RATE_LIMIT_REQUESTS},
     "rate_limit_window_sec": ${RATE_LIMIT_WINDOW_SEC},
     "rate_limit_burst": ${RATE_LIMIT_BURST},