fix: count malformed json requests in rate limiter

[vicentsmith470-web]

Summary

• Move the global API rate limiter before JSON body parsing so malformed JSON requests are counted before parser errors short-circuit the stack.
• Add a focused regression test proving repeated malformed JSON requests eventually receive HTTP 429.

Closes #3365
/claim #743

Validation

• node --check apps/api/src/app.js
• node --check apps/api/src/tests/rateLimit.test.js
• node --test apps/api/src/tests/rateLimit.test.js
• node --test apps/api/src/tests/health.test.js apps/api/src/tests/rateLimit.test.js
• git diff --check

Demo Video

• https://github.com/vicentsmith470-web/bug-bounty/releases/download/demo-rate-limit-3365/rate-limit-3365-demo.mp4

The regression test exercises the API over a real ephemeral HTTP server: 201 malformed JSON POST /api/jobs requests from the same client, with the final response asserted as HTTP 429.

[vicentsmith470-web]

Added the short demo video requested by the bounty instructions to the PR body:
https://github.com/vicentsmith470-web/bug-bounty/releases/download/demo-rate-limit-3365/rate-limit-3365-demo.mp4