feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.

backend/libs/handlers/security.go

@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	"warpbox.dev/backend/libs/services"
 )
 
 const csrfCookieName = "warpbox_csrf"
@@ -76,3 +78,29 @@ func randomToken(byteCount int) string {
 	}
 	return base64.RawURLEncoding.EncodeToString(data)
 }
+
+func (a *App) recordLoginAbuse(r *http.Request, kind, detail string) {
+	if a.banService == nil {
+		return
+	}
+	settings, err := a.banService.Settings()
+	if err != nil || !settings.AutoBanEnabled {
+		return
+	}
+	threshold := settings.UserLoginFailureThreshold
+	if kind == services.AbuseKindAdminLogin {
+		threshold = settings.AdminLoginFailureThreshold
+	}
+	ip := uploadClientIP(r)
+	result, err := a.banService.RecordAbuse(ip, kind, detail, threshold, time.Now().UTC())
+	if err != nil {
+		a.logger.Error("login abuse event failed", "source", "ban", "severity", "error", "code", 5004, "ip", ip, "kind", kind, "error", err.Error())
+		return
+	}
+	if result.Enabled {
+		a.logger.Warn("login abuse recorded", "source", "ban", "severity", "warn", "code", 4304, "ip", ip, "kind", kind, "count", result.Event.Count)
+	}
+	if result.Triggered {
+		a.logger.Warn("ip auto-banned for login abuse", "source", "ban", "severity", "warn", "code", 4305, "ip", ip, "kind", kind, "ban_id", result.Ban.ID)
+	}
+}