trusted proxy, TOTP replay protection, new tests

- Trusted proxy config option for proxy-aware IP extraction
  used by rate limiting and audit logs; validates proxy IP
  before trusting X-Forwarded-For / X-Real-IP headers
- TOTP replay protection via counter-based validation to
  reject reused codes within the same time step (±30s)
- RateLimit middleware updated to extract client IP from
  proxy headers without IP spoofing risk
- New tests for ClientIP proxy logic (spoofed headers,
  fallback) and extended rate-limit proxy coverage
- HTMX error banner script integrated into web UI base
- .gitignore updated for mciasdb build artifact

Security: resolves CRIT-01 (TOTP replay attack) and
DEF-03 (proxy-unaware rate limiting); gRPC TOTP
enrollment aligned with REST via StorePendingTOTP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dist/mcias.conf.example

@@ -32,6 +32,21 @@ tls_cert = "/etc/mcias/server.crt"
 # Permissions: mode 0640, owner root:mcias.
 tls_key = "/etc/mcias/server.key"
 
+# OPTIONAL. IP address of a trusted reverse proxy (e.g. nginx, Caddy, HAProxy).
+# When set, the rate limiter and audit log extract the real client IP from the
+# X-Real-IP or X-Forwarded-For header, but ONLY for requests whose TCP source
+# address matches this exact IP. All other requests use RemoteAddr directly,
+# preventing IP spoofing by external clients.
+#
+# Must be an IP address, not a hostname or CIDR range.
+# Omit when running without a reverse proxy (direct Internet exposure).
+#
+# Example — local nginx proxy:
+# trusted_proxy = "127.0.0.1"
+#
+# Example — Docker network gateway:
+# trusted_proxy = "172.17.0.1"
+
 # ---------------------------------------------------------------------------
 # [database] — SQLite database
 # ---------------------------------------------------------------------------