fix(server): resilient rate-limit key + narrower trustProxy for reverse-proxy setups

[steilerDev]

Summary

Two production fixes triggered by the fastify 5.8.5 security patch for CVE-2026-33806 (trustProxy socketAddr null-check). Under the tightened code path, request.ip can resolve to undefined when the raw TCP socket lacks metadata — collapsing @fastify/rate-limit's default keyGenerator (which uses request.ip) to a single undefined bucket shared across all unknown-IP callers. This triggers the login max: 20 bucket after 20 requests and returns 429s to all subsequent callers.

Changes:

• rateLimitPlugin.ts: add explicit keyGenerator with fallback chain request.ip → first x-forwarded-for → x-real-ip → "unknown". Unknown-IP requests are still rate-limited (bucketed as "unknown") rather than silently shared.
• app.ts: pass trustProxy: 1 (number of hops) instead of boolean true. We sit behind exactly one reverse proxy in production; the number-based code path was explicitly hardened in 5.8.5.

Public /api/config still exposes trustProxy as boolean — external contract unchanged.

Unblocks PR #1215 (beta → main promotion) E2E Gates.

Test plan

• npm run typecheck passes
• config.test.ts 68/68 pass
• Quality Gates passes
• E2E Gates on PR release: promote beta to main #1215 passes after this lands on beta

[github-actions]

Thank you for your submission! We require all contributors to sign our Contributor License Agreement before we can accept your contribution.

To sign, please comment on this PR with:
I have read the CLA Document and I hereby sign the CLA

---

I have read the CLA Document and I hereby sign the CLA

---

Frank Steiler seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}