fix(handlers): bypass box creation limits for batched uploads

Update `createOrAppendBox` to accept the upload policy and admin status, allowing policy enforcement to be handled during the box creation/append decision process. This ensures that appending files to an existing batch does not incorrectly trigger daily or active box creation limits, as no new box is being created.

Also, add unit tests to verify that batched uploads successfully bypass both daily and active box creation caps.

backend/libs/services/bans.go

@@ -519,6 +519,11 @@ func (s *BanService) RecordAbuse(ip, kind, detail string, threshold int, now tim
 	if err != nil || !triggered {
 		return AbuseResult{Event: event, Triggered: false, Enabled: true}, err
 	}
+	if matched, ok, err := s.Match(ip, now); err != nil {
+		return AbuseResult{}, err
+	} else if ok {
+		return AbuseResult{Event: event, Ban: matched.Ban, Triggered: true, Enabled: true}, nil
+	}
 	reason := fmt.Sprintf("%s threshold reached: %s", strings.ReplaceAll(kind, "_", " "), detail)
 	ban, err = s.createBan(ip, reason, BanSourceAuto, "", now.Add(time.Duration(settings.AutoBanDurationHours)*time.Hour), now)
 	if err != nil {

backend/libs/services/bans_test.go

@@ -79,6 +79,17 @@ func TestBanServiceAutoBanThresholdsAndDisabled(t *testing.T) {
 	if err != nil || !result.Triggered || result.Ban.ID == "" {
 		t.Fatalf("RecordAbuse threshold = %+v, %v", result, err)
 	}
+	again, err := bans.RecordAbuse("203.0.113.8", AbuseKindMaliciousPath, "/.env", 3, now.Add(4*time.Minute))
+	if err != nil || !again.Triggered || again.Ban.ID != result.Ban.ID {
+		t.Fatalf("RecordAbuse duplicate = %+v, %v", again, err)
+	}
+	records, err := bans.ListBans()
+	if err != nil {
+		t.Fatalf("ListBans returned error: %v", err)
+	}
+	if len(records) != 1 {
+		t.Fatalf("ban count = %d, want 1", len(records))
+	}
 }
 
 func TestBanServiceMaliciousPathRules(t *testing.T) {