feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.

backend/static/css/16-retro.css

@@ -189,14 +189,25 @@
   padding-left: calc(0.85rem + 1px);
 }
 
-/* The primary call-to-action gets the blue title-bar gradient. */
+/* The primary call-to-action is a glossy raised blue button. A vertical
+   gradient + strong 3D bevel keeps it clearly a button (and distinct from the
+   horizontal title-bar gradient). */
 :root[data-theme="retro"] .button-primary {
-  background: linear-gradient(to right, #000078, 80%, #0f80cd);
+  background: linear-gradient(to bottom, #2f86e0 0%, #0a3aa0 52%, #000078 100%);
   color: #ffffff;
+  border: 1px solid #000000;
+  box-shadow: inset -1px -1px 0 #00003a, inset 1px 1px 0 #7fc0ff, inset -2px -2px 0 #001a6a, inset 2px 2px 0 #3f9fe8;
+  text-shadow: 1px 1px 0 rgba(0, 0, 0, 0.4);
 }
 
 :root[data-theme="retro"] .button-primary:hover {
-  background: linear-gradient(to right, #0a0a9a, 80%, #1a90dd);
+  filter: brightness(1.08);
+}
+
+:root[data-theme="retro"] .button-primary:active {
+  box-shadow: inset 1px 1px 0 #00003a, inset -1px -1px 0 #7fc0ff;
+  padding-top: calc(0.45rem + 1px);
+  padding-left: calc(0.85rem + 1px);
 }
 
 :root[data-theme="retro"] .button-danger {
@@ -277,7 +288,8 @@
    the API section cards. Pages where a heading sits below an icon or kicker
    (download/preview/login) keep the inset heading from the base h1 rule. */
 :root[data-theme="retro"] .card-content > h1:first-child,
-:root[data-theme="retro"] .docs-header h1 {
+:root[data-theme="retro"] .docs-header h1,
+:root[data-theme="retro"] .download-view-wide .download-card h1 {
   margin: -1.5rem -1.5rem 1rem;
 }
 
@@ -547,3 +559,64 @@
   border: 1px solid #000000;
   box-shadow: var(--shadow);
 }
+
+/* ------------------------------------------------------------------------- */
+/* Download / box page                                                       */
+/* ------------------------------------------------------------------------- */
+
+/* The decorative file glyph above the title doesn't suit a Win98 window. */
+:root[data-theme="retro"] .file-emblem {
+  display: none;
+}
+
+/* The download window's content is left-aligned like a real file manager. */
+:root[data-theme="retro"] .download-view-wide .download-card {
+  text-align: left;
+}
+
+/* Expiry shown as a sunken status field with a little clock. */
+:root[data-theme="retro"] .badge-row {
+  justify-content: flex-start;
+}
+
+:root[data-theme="retro"] .badge-expiry {
+  background: #ffffff;
+  color: #000000;
+  border: 1px solid #000000;
+  box-shadow: inset 1px 1px 0 #808080, inset -1px -1px 0 #ffffff;
+  font-weight: 700;
+  padding: 0.3rem 0.7rem;
+}
+
+:root[data-theme="retro"] .badge-expiry::before {
+  content: "\23F1  ";
+}
+
+/* List / Thumbnails / Preview images = a Win98 toolbar (menubar) of flat
+   buttons that raise on hover and depress when active. */
+:root[data-theme="retro"] .view-toolbar {
+  justify-content: flex-start;
+  gap: 2px;
+  margin-top: 1rem;
+  padding: 3px;
+  background: #c0c0c0;
+  border: 1px solid #000000;
+  box-shadow: inset 1px 1px 0 #ffffff, inset -1px -1px 0 #808080;
+}
+
+:root[data-theme="retro"] .view-toolbar .button {
+  background: transparent;
+  border: 1px solid transparent;
+  box-shadow: none;
+  font-weight: 400;
+}
+
+:root[data-theme="retro"] .view-toolbar .button:hover {
+  background: #c0c0c0;
+  box-shadow: inset -1px -1px 0 #808080, inset 1px 1px 0 #ffffff;
+}
+
+:root[data-theme="retro"] .view-toolbar .button.is-active {
+  background: #d4d0c8;
+  box-shadow: inset 1px 1px 0 #808080, inset -1px -1px 0 #ffffff;
+}