fix: add tests for auth failure without API key and ensure rate limiting applies regardless of auth

tests/test_commend.py

@@ -80,3 +80,35 @@ def test_commend_post_error_envelope_format(client: TestClient) -> None:
         if isinstance(detail, dict):
             assert "code" in detail
             assert "message" in detail
+
+
+def test_commend_auth_fail_closed_without_key(client: TestClient) -> None:
+    """Without COMMEND_API_KEY set, protected endpoints should reject (fail-closed)."""
+    response = client.post(
+        "/api/commend/generate",
+        json={
+            "videoUrl": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+            "language": "English",
+            "commentStyle": "supportive",
+        },
+    )
+    # With COMMEND_REQUIRE_AUTH=true (default) and no key, expect 429 or 503
+    assert response.status_code in (429, 503)
+
+
+def test_commend_rate_limit_independent_of_auth(client: TestClient) -> None:
+    """Rate limiting should apply regardless of auth configuration."""
+    # Send multiple rapid requests — rate limit should apply even without auth key
+    statuses = []
+    for _ in range(15):
+        response = client.post(
+            "/api/commend/generate",
+            json={
+                "videoUrl": "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+                "language": "English",
+                "commentStyle": "supportive",
+            },
+        )
+        statuses.append(response.status_code)
+    # Should see at least one 429 in the batch (rate limit is 10/min)
+    assert 429 in statuses, f"Expected 429 in statuses but got: {set(statuses)}"