The POST /api/incidents endpoint currently has only global rate limiting. Add per-operator rate limiting to prevent accidental spam from a single device. Suggested: max 20 reports per operator per minute.