fix(promo-codes): use rate.limit instead of auth.user on discover route

The discover endpoint's seeder entry intentionally omits authz_groups per
SDS Task 9 ("any authenticated user with read scope"). The auth.user
middleware requires at least one matching group, so every request fell
through to a 403. Switch to rate.limit:25,1 to match the adjacent
pre-validate-promo-code route, which has the same "any authenticated user"
profile. OAuth2 bearer auth and scope enforcement are still applied via
the parent 'api' middleware group.

All 5 discover integration tests now pass (verified locally).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: caseylocker

routes/api_v1.php

@@ -1951,7 +1951,8 @@
         // promo codes
         Route::group(['prefix' => 'promo-codes'], function () {
             Route::group(['prefix' => 'all'], function () {
-                Route::get('discover', ['middleware' => 'auth.user', 'uses' => 'OAuth2SummitPromoCodesApiController@discover']);
+                // rate-limit only — no authz groups required per SDS Task 9
+                Route::get('discover', ['middleware' => ['rate.limit:25,1'], 'uses' => 'OAuth2SummitPromoCodesApiController@discover']);
             });
             Route::get('', ['middleware' => 'auth.user', 'uses' => 'OAuth2SummitPromoCodesApiController@getAllBySummit']);
             Route::group(['prefix' => 'csv'], function () {