ci: force memory rate limiter in tests and set placeholder AUTH_SECRET

Unit Tests fix: when REDIS_URL is set but Redis briefly drops, the rate
limiter switches to a degraded in-memory backend with max/10 limits and
accumulates state across test files, breaking ~120 api router tests with
"Rate limit exceeded". Setting RATE_LIMIT_BACKEND=memory pins the limiter
to the full-capacity memory backend for unit tests (which don't need
distributed counters anyway).

Build fix: next build collects page data for /api/auth routes, which
validates AUTH_SECRET at boot. CI_AUTH_SECRET comes from a Gitea secret
that isn't configured, so it was empty and builds aborted. Use a
placeholder string ≥32 chars inline — the real secret is only required
in deploy workflows, not here.

.github/workflows/ci.yml

@@ -24,7 +24,9 @@ env:
   NODE_VERSION: "20"
   PNPM_VERSION: "9.14.2"
   CI_AUTH_URL: http://localhost:3100
-  CI_AUTH_SECRET: ${{ secrets.CI_AUTH_SECRET }}
+  # Placeholder for CI — real secret only matters at deploy time.
+  # next build collects page data for auth routes and aborts if empty.
+  CI_AUTH_SECRET: ci-test-secret-minimum-32-chars-xx
 
 jobs:
   guardrails:
@@ -172,6 +174,9 @@ jobs:
     env:
       DATABASE_URL: postgresql://capakraken:capakraken_test@postgres:5432/capakraken_test
       REDIS_URL: redis://redis:6379
+      # Force in-memory rate limiter to avoid cross-test state when Redis drops.
+      # Redis fallback downgrades to max/10 limits which rate-limits unit tests.
+      RATE_LIMIT_BACKEND: memory
       NEXTAUTH_URL: ${{ env.CI_AUTH_URL }}
       AUTH_URL: ${{ env.CI_AUTH_URL }}
       NEXTAUTH_SECRET: ${{ env.CI_AUTH_SECRET }}