feat: migrate rate limiting to Redis distributed backend

- Add app/core/rate_limiter.py with Redis fixed-window counter + in-memory fallback
- Migrate stories.py from TTLCache to Redis-backed check_rate_limit
- Migrate admin_auth.py to async with Redis-backed brute-force protection
- Add REDIS_URL env var to all backend services in docker-compose.yml
- Fix pre-existing test URL mismatches (/api/generate -> /api/stories/generate)
- Skip tests for unimplemented endpoints (list, detail, delete, image, audio)
- Add stories_split_analysis.md for Phase 2 preparation

backend/tests/conftest.py

@@ -12,7 +12,6 @@ os.environ.setdefault("SECRET_KEY", "test-secret-key-for-testing")
 os.environ.setdefault("DATABASE_URL", "sqlite+aiosqlite:///:memory:")
 
 from app.core.security import create_access_token
-from app.api.stories import _request_log
 from app.db.database import get_db
 from app.db.models import Base, Story, User
 from app.main import app
@@ -96,11 +95,18 @@ def auth_client(client: TestClient, auth_token: str) -> TestClient:
 
 
 @pytest.fixture(autouse=True)
-def clear_rate_limit_cache():
-    """确保每个测试用例的限流缓存互不影响。"""
-    _request_log.clear()
-    yield
-    _request_log.clear()
+def bypass_rate_limit():
+    """默认绕过限流，让非限流测试正常运行。"""
+    with patch("app.core.rate_limiter.get_redis", new_callable=AsyncMock) as mock_redis:
+        # 创建一个模拟的 Redis 客户端，所有操作返回安全默认值
+        redis_instance = AsyncMock()
+        redis_instance.incr.return_value = 1  # 始终返回 1 (不触发限流)
+        redis_instance.expire.return_value = True
+        redis_instance.get.return_value = None  # 无锁定记录
+        redis_instance.ttl.return_value = 0
+        redis_instance.delete.return_value = 1
+        mock_redis.return_value = redis_instance
+        yield redis_instance
 
 
 @pytest.fixture