Rate limiting on boost endpoint

[whisper67265]

Problem

The Boost endpoint (/boost-endpoint/info/ and /boost-endpoint/add-or-update/) had no scoped rate limits, so authenticated clients could hammer expensive routes without throttling aligned with Weblate’s REST framework patterns. Production defaults and CI overrides were also undefined for those scopes.

Acceptance Criteria

• BoostEndpointInfo and AddOrUpdateView apply UserRateThrottle plus scoped throttles (info, add-or-update) using Weblate’s patch_throttle_request.
• Default scoped rates are 60/minute for info and 10/hour for add-or-update, overridable via BOOST_ENDPOINT_THROTTLE_INFO and BOOST_ENDPOINT_THROTTLE_ADD_OR_UPDATE.
• Exceeding a scoped or user limit returns HTTP 429 with a positive Retry-After header; add-or-update does not enqueue Celery work once throttled.
• Unit tests in tests/endpoint/test_views.py cover scoped and user throttling without leaking throttle state between tests.

Implementation Notes

• Scoped throttle classes subclass ScopedRateThrottle and delegate through @patch_throttle_request so Weblate’s throttle keying matches upstream API views.
• settings_override.merge_boost_endpoint_throttle_rates() merges Boost rates into existing REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"] without clobbering upstream user / anon entries.
• Endpoint throttle unit tests use _isolated_throttle_rates fixtures to reload DRF throttle rates and clear the cache per test.

References

• src/boost_weblate/endpoint/views.py
• src/boost_weblate/settings_override.py
• tests/endpoint/test_views.py
• tests/test_settings_override.py
• tests/django_qbk_format_settings.py