fix(security): harden IP allowlist against XFF bypass and spoofing (#3)

Hardens the IP allowlist in require_auth against the two bypasses filed in #3.

1. Bypass via missing X-Forwarded-For (no IP to check, allowlist skipped).
2. Spoofing via attacker-controlled X-Forwarded-For (header trusted unconditionally).

Resolves both by deriving the client IP from the socket peer (ConnectInfo<SocketAddr>) and only honoring X-Forwarded-For when the immediate peer is in a new security.trusted_proxies allowlist (default empty = strict). Fails closed with 403 forbidden_ip when a non-empty allowlist is configured and the client IP cannot be determined. Empty ip_whitelist continues to mean allow all (preserved for dev installs).

27 pm-auth tests pass (12 new resolver + 8 new middleware + 7 existing). Spec: tasks/ip-allowlist-spec.md.

crates/pm-core/src/config.rs

@@ -119,6 +119,13 @@ pub struct LoggingConfig {
 pub struct SecurityConfig {
     /// IP whitelist (CIDR or individual IPs); empty = allow all (not recommended)
     pub ip_whitelist: Vec<String>,
+    /// IP addresses (CIDR or single IP) of trusted reverse proxies. When the
+    /// immediate TCP peer is in this list, `X-Forwarded-For` is honored;
+    /// otherwise the socket peer IP is used for allowlist enforcement.
+    /// Default: empty (do not trust `X-Forwarded-For`). See
+    /// `tasks/ip-allowlist-spec.md` §4.3 for the operational guidance.
+    #[serde(default)]
+    pub trusted_proxies: Vec<String>,
     /// JWT signing key path (Ed25519 PEM)
     pub jwt_signing_key_path: String,
     /// JWT verification key path (Ed25519 public PEM)
@@ -280,6 +287,7 @@ impl Default for AppConfig {
             },
             security: SecurityConfig {
                 ip_whitelist: vec![],
+                trusted_proxies: vec![],
                 jwt_signing_key_path: "/etc/patch-manager/jwt/signing.pem".to_string(),
                 jwt_verify_key_path: "/etc/patch-manager/jwt/verify.pem".to_string(),
                 jwt_access_ttl_secs: 900,