feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.

backend/libs/config/config.go

@@ -23,6 +23,7 @@ type Config struct {
 	ReadTimeout      time.Duration
 	WriteTimeout     time.Duration
 	IdleTimeout      time.Duration
+	TrustedProxies   []string
 	JobsEnabled      bool
 	CleanupEnabled   bool
 	CleanupEvery     time.Duration
@@ -66,6 +67,7 @@ func Load() (Config, error) {
 		ReadTimeout:      envDuration("WARPBOX_READ_TIMEOUT", 15*time.Second),
 		WriteTimeout:     envDuration("WARPBOX_WRITE_TIMEOUT", 60*time.Second),
 		IdleTimeout:      envDuration("WARPBOX_IDLE_TIMEOUT", 120*time.Second),
+		TrustedProxies:   envCSV("WARPBOX_TRUSTED_PROXIES"),
 		JobsEnabled:      envBool("WARPBOX_JOBS_ENABLED", true),
 		CleanupEnabled:   envBool("WARPBOX_CLEANUP_ENABLED", true),
 		CleanupEvery:     envDuration("WARPBOX_CLEANUP_EVERY", time.Hour),
@@ -180,6 +182,21 @@ func envInt(key string, fallback int) int {
 	return parsed
 }
 
+func envCSV(key string) []string {
+	value := strings.TrimSpace(os.Getenv(key))
+	if value == "" {
+		return nil
+	}
+	parts := strings.Split(value, ",")
+	values := make([]string, 0, len(parts))
+	for _, part := range parts {
+		if trimmed := strings.TrimSpace(part); trimmed != "" {
+			values = append(values, trimmed)
+		}
+	}
+	return values
+}
+
 func envMegabytes(key string, fallback float64) int64 {
 	value := strings.TrimSpace(os.Getenv(key))
 	if value == "" {