Honor X-Forwarded-For only from a trusted-proxy CIDR (#189)

EnrichContext used to copy the first X-Forwarded-For entry into the
request identity unconditionally. The resulting AttrClientIp drives
client-IP comparisons later in the gateway-access flow, and a direct
caller could set XFF to anything they liked.

Add a small package-level allow-list:

* InitTrustedProxies(cidrs) parses operator-supplied CIDRs once at
  startup. A bad CIDR is fatal, an empty list disables XFF entirely.
* EnrichContext takes the client IP from r.RemoteAddr (host portion)
  and only swaps in the first X-Forwarded-For entry when r.RemoteAddr
  itself sits in a trusted-proxy CIDR. AttrProxies is set from the
  remaining XFF entries on the same condition.

Wire Server.TrustedProxies through configuration.go to web.

README.md

@@ -178,6 +178,12 @@ Server:
  # link-local / IPv6 ULA / unspecified / multicast destinations unless
  # this is true. Default false. Has no effect on the curated host modes.
  # AllowPrivateDestinations: false
+ # CIDR allow-list of upstream proxies whose X-Forwarded-For header is
+ # trusted when deriving the client IP. Empty (default) makes the
+ # gateway ignore X-Forwarded-For and use the request's RemoteAddr.
+ # Set this to the proxy/load-balancer subnet that fronts the gateway.
+ # TrustedProxies:
+ #  - 10.0.0.0/8
  # a random strings of at least 32 characters to secure cookies on the client
  # make sure to share this across the different pods
  SessionKey: thisisasessionkeyreplacethisjetzt