feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.

backend/libs/jobs/cleanup.go

@@ -8,7 +8,7 @@ import (
 	"warpbox.dev/backend/libs/services"
 )
 
-func newCleanupJob(cfg config.Config, logger *slog.Logger, uploadService *services.UploadService) job {
+func newCleanupJob(cfg config.Config, logger *slog.Logger, uploadService *services.UploadService, banService *services.BanService) job {
 	return job{
 		name:     "cleanup",
 		enabled:  cfg.CleanupEnabled,
@@ -22,6 +22,16 @@ func newCleanupJob(cfg config.Config, logger *slog.Logger, uploadService *servic
 			if cleaned > 0 {
 				logger.Info("cleanup job complete", "source", "housekeeping", "severity", "user_activity", "code", 2202, "cleaned", cleaned)
 			}
+			if banService != nil {
+				cleanedEvents, err := banService.CleanupAbuseEvents(time.Now().UTC())
+				if err != nil {
+					logger.Warn("ban evidence cleanup failed", "source", "housekeeping", "severity", "warn", "code", 4203, "error", err.Error())
+					return
+				}
+				if cleanedEvents > 0 {
+					logger.Info("ban evidence cleaned", "source", "housekeeping", "severity", "user_activity", "code", 2203, "cleaned", cleanedEvents)
+				}
+			}
 		},
 	}
 }