fix: simplify rate limit enabled status check in middleware

backend/internal/cerberus/rate_limit.go

@@ -143,15 +143,10 @@ func (c *Cerberus) RateLimitMiddleware() gin.HandlerFunc {
 			return
 		}
 
-		// Check config enabled status
-		enabled := false
-		if c.cfg.RateLimitMode == "enabled" {
-			enabled = true
-		} else {
-			// Check dynamic setting
-			if v, ok := c.getSetting("security.rate_limit.enabled"); ok && strings.EqualFold(v, "true") {
-				enabled = true
-			}
+		// Check config enabled status, then let dynamic setting override both true and false.
+		enabled := c.cfg.RateLimitMode == "enabled"
+		if v, ok := c.getSetting("security.rate_limit.enabled"); ok {
+			enabled = strings.EqualFold(v, "true")
 		}
 
 		if !enabled {

backend/internal/cerberus/rate_limit_test.go

@@ -308,6 +308,34 @@ func TestCerberusRateLimitMiddleware_OverridesConfigWithSettings(t *testing.T) {
 	assert.Equal(t, http.StatusTooManyRequests, w2.Code)
 }
 
+func TestCerberusRateLimitMiddleware_SettingsDisableOverride(t *testing.T) {
+	db := setupRateLimitTestDB(t)
+	require.NoError(t, db.Create(&models.Setting{Key: "security.rate_limit.enabled", Value: "false"}).Error)
+
+	cfg := config.SecurityConfig{
+		RateLimitMode:      "enabled",
+		RateLimitRequests:  1,
+		RateLimitWindowSec: 60,
+		RateLimitBurst:     1,
+	}
+	cerb := New(cfg, db)
+
+	r := gin.New()
+	r.Use(cerb.RateLimitMiddleware())
+	r.GET("/", func(c *gin.Context) {
+		c.Status(http.StatusOK)
+	})
+
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.RemoteAddr = "10.0.0.1:1234"
+
+	for i := 0; i < 3; i++ {
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusOK, w.Code)
+	}
+}
+
 func TestCerberusRateLimitMiddleware_WindowFallback(t *testing.T) {
 	cfg := config.SecurityConfig{
 		RateLimitMode:      "enabled",