fix: cap POST /download-zip at 50 documents

[bmersereau]

Summary

• Adds a MAX_ZIP_DOCUMENTS = 50 constant and a 400 guard to POST /single-documents/download-zip
• Prevents an authenticated user from triggering simultaneous in-memory loading of an unbounded number of large files

Closes #99
Closes #114

Changes

• backend/src/routes/documents.ts — MAX_ZIP_DOCUMENTS constant + length check returning 400
• backend/src/lib/__tests__/downloadZipLimit.test.ts — static analysis test verifying the limit exists
• backend/vitest.config.ts — vitest config scoping tests to src/ (excludes compiled dist/)
• backend/package.json — "test": "vitest run" script added

Test plan

• Unit tests added and passing
• Backend build passes

[bmersereau]

PR Review

Summary

Adds MAX_ZIP_DOCUMENTS = 50 guard to POST /single-documents/download-zip, returning 400 with a clear message when the request exceeds the limit. Simple, correct, and exactly scoped to the issue.

Findings

• [severity:praise] Named constant MAX_ZIP_DOCUMENTS makes the limit self-documenting and easy to tune
• [severity:praise] Error message includes the actual limit value (Cannot download more than ${MAX_ZIP_DOCUMENTS} documents at once) — good UX
• [severity:nit] Static test uses readFileSync — verifies pattern is present but not that the HTTP response is actually 400. Acceptable given the simplicity of the change

Specific checks

• "test": "vitest run" in package.json ✓
• vitest.config.ts include filter present ✓
• Tests pass: 2/2 ✓
• documents.ts unchanged from origin/main (aside from this fix) ✓

Verdict

Approve — clean.