fix(security): harden IP allowlist against XFF bypass and spoofing (#3)

Hardens the IP allowlist in require_auth against the two bypasses filed in #3.

1. Bypass via missing X-Forwarded-For (no IP to check, allowlist skipped).
2. Spoofing via attacker-controlled X-Forwarded-For (header trusted unconditionally).

Resolves both by deriving the client IP from the socket peer (ConnectInfo<SocketAddr>) and only honoring X-Forwarded-For when the immediate peer is in a new security.trusted_proxies allowlist (default empty = strict). Fails closed with 403 forbidden_ip when a non-empty allowlist is configured and the client IP cannot be determined. Empty ip_whitelist continues to mean allow all (preserved for dev installs).

27 pm-auth tests pass (12 new resolver + 8 new middleware + 7 existing). Spec: tasks/ip-allowlist-spec.md.

config/config.example.toml

@@ -76,6 +76,20 @@ format = "json"
 # Example: ["10.0.0.0/8", "192.168.1.50"]
 ip_whitelist = []
 
+# Trusted reverse proxies: list of CIDRs or individual IPs. When the immediate
+# TCP peer is in this list, `X-Forwarded-For` is honored (leftmost untrusted
+# hop is used for allowlist enforcement). When this list is EMPTY (the
+# default), `X-Forwarded-For` is IGNORED entirely and the socket peer IP is
+# used — the strict, fail-closed default.
+#
+# REQUIRED if you front pm-web with nginx/HAProxy/Cloudflare/etc.: add the
+# proxy's egress IP (or CIDR) here, otherwise the allowlist will evaluate
+# against the proxy's IP and deny legitimate traffic. If your proxy chain
+# has multiple hops, add each hop you control.
+# Example: ["10.0.0.0/8"]   (corporate egress)
+# Example: ["172.16.0.0/12"] (internal load balancer)
+trusted_proxies = []
+
 # Ed25519 JWT signing key (private key, PEM format)
 # Generate: openssl genpkey -algorithm ed25519 -out /etc/patch-manager/jwt/signing.pem
 jwt_signing_key_path = "/etc/patch-manager/jwt/signing.pem"