feat: bypass security for health checks and support HEAD downloads

- Allow the `/health` endpoint to bypass the security middleware, ensuring container health checks succeed even if the proxy IP is banned.
- Add a test to verify health checks from banned IPs.
- Register a HEAD route for file downloads.
- Refactor admin alert status checks to use a new `isUnacknowledgedAlert` helper.
- Update the security runbook documentation with clearer instructions and examples for trusted proxy configuration.

lib/server/admin_alerts_test.go

@@ -0,0 +1,38 @@
+package server
+
+import (
+	"path/filepath"
+	"testing"
+
+	"warpbox/lib/alerts"
+	"warpbox/lib/config"
+)
+
+func TestAdminDashboardCountsOnlyUnacknowledgedAlerts(t *testing.T) {
+	store := alerts.NewStore(filepath.Join(t.TempDir(), "alerts.json"))
+	for _, alert := range []alerts.Alert{
+		{ID: "open-high", Title: "Open high", Severity: "high", Status: alerts.StatusOpen},
+		{ID: "acked-high", Title: "Acked high", Severity: "high", Status: alerts.StatusAcked},
+		{ID: "closed-medium", Title: "Closed medium", Severity: "medium", Status: alerts.StatusClosed},
+	} {
+		if err := store.Add(alert); err != nil {
+			t.Fatalf("Add returned error: %v", err)
+		}
+	}
+
+	app := &App{
+		config:     &config.Config{},
+		alertStore: store,
+	}
+	view := app.buildAdminDashboardView()
+
+	if view.OpenAlerts != 1 {
+		t.Fatalf("expected only unacknowledged alerts in dashboard count, got %d", view.OpenAlerts)
+	}
+	if view.HighAlerts != 1 || view.MediumAlerts != 0 || view.LowAlerts != 0 {
+		t.Fatalf("expected only open alert severities, got high=%d medium=%d low=%d", view.HighAlerts, view.MediumAlerts, view.LowAlerts)
+	}
+	if len(view.Alerts) != 1 || view.Alerts[0].ID != "open-high" {
+		t.Fatalf("expected only open alert in dashboard inbox, got %#v", view.Alerts)
+	}
+}