Disable auth rate limiters in debug mode for UI test suites

Rate limiters on login/register/password-reset endpoints cause 429 errors
when running parallel UI tests that create many accounts. In debug mode,
skip rate limiters entirely so test suites can run without throttling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose.dev.yml

@@ -55,6 +55,7 @@ services:
       # Server
       PORT: "8000"
       DEBUG: "true"
+      DEBUG_FIXED_CODES: "true"
       ALLOWED_HOSTS: "localhost,127.0.0.1"
       TIMEZONE: "${TIMEZONE:-UTC}"
 
@@ -121,7 +122,7 @@ services:
       api:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/admin/"]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"]
       interval: 30s
       timeout: 10s
       retries: 3

docker-compose.yml

@@ -125,7 +125,7 @@ services:
       HOSTNAME: "0.0.0.0"
       NEXT_PUBLIC_API_URL: "${NEXT_PUBLIC_API_URL}"
     healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/admin/"]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/"]
       interval: 30s
       timeout: 10s
       retries: 3

internal/router/router.go

@@ -218,7 +218,7 @@ func SetupRouter(deps *Dependencies) *echo.Echo {
 	api := e.Group("/api")
 	{
 		// Public auth routes (no auth required)
-		setupPublicAuthRoutes(api, authHandler)
+		setupPublicAuthRoutes(api, authHandler, cfg.Server.Debug)
 
 		// Public data routes (no auth required)
 		setupPublicDataRoutes(api, residenceHandler, taskHandler, contractorHandler, staticDataHandler, subscriptionHandler, taskTemplateHandler)
@@ -306,15 +306,26 @@ func healthCheck(c echo.Context) error {
 
 // setupPublicAuthRoutes configures public authentication routes with
 // per-endpoint rate limiters to mitigate brute-force and credential-stuffing.
-func setupPublicAuthRoutes(api *echo.Group, authHandler *handlers.AuthHandler) {
+// Rate limiters are disabled in debug mode to allow UI test suites to run
+// without hitting 429 errors.
+func setupPublicAuthRoutes(api *echo.Group, authHandler *handlers.AuthHandler, debug bool) {
 	auth := api.Group("/auth")
 
-	// Rate limiters — created once, shared across requests.
-	loginRL := custommiddleware.LoginRateLimiter()             // 10 req/min
-	registerRL := custommiddleware.RegistrationRateLimiter()   // 5 req/min
-	passwordRL := custommiddleware.PasswordResetRateLimiter()  // 3 req/min
+	if debug {
+		// No rate limiters in debug/local mode
+		auth.POST("/login/", authHandler.Login)
+		auth.POST("/register/", authHandler.Register)
+		auth.POST("/forgot-password/", authHandler.ForgotPassword)
+		auth.POST("/verify-reset-code/", authHandler.VerifyResetCode)
+		auth.POST("/reset-password/", authHandler.ResetPassword)
+		auth.POST("/apple-sign-in/", authHandler.AppleSignIn)
+		auth.POST("/google-sign-in/", authHandler.GoogleSignIn)
+	} else {
+		// Rate limiters — created once, shared across requests.
+		loginRL := custommiddleware.LoginRateLimiter()            // 10 req/min
+		registerRL := custommiddleware.RegistrationRateLimiter()  // 5 req/min
+		passwordRL := custommiddleware.PasswordResetRateLimiter() // 3 req/min
 
-	{
 		auth.POST("/login/", authHandler.Login, loginRL)
 		auth.POST("/register/", authHandler.Register, registerRL)
 		auth.POST("/forgot-password/", authHandler.ForgotPassword, passwordRL)