feat(saas): add trusted_proxies config for reverse proxy rate limiting

- Add trusted_proxies field to ServerConfig (Vec<String>, serde default)
- Default value is empty vector (no proxy trust until explicitly configured)
- Development config: trust localhost IPs (127.0.0.1, ::1)
- Production config: placeholder localhost IPs with comment to replace

config/saas-development.toml

@@ -5,6 +5,7 @@
 host = "0.0.0.0"
 port = 8080
 cors_origins = []  # 空 = 开发模式允许所有来源
+trusted_proxies = ["127.0.0.1", "::1"]
 
 [database]
 url = "postgres://postgres:123123@localhost:5432/zclaw"

config/saas-production.toml

@@ -6,6 +6,7 @@ host = "0.0.0.0"
 port = 8080
 # 生产环境必须配置 CORS 白名单
 cors_origins = ["https://admin.zclaw.ai", "https://zclaw.ai"]
+trusted_proxies = ["127.0.0.1", "::1"]  # 替换为实际代理 IP
 
 [database]
 # 生产环境通过 ZCLAW_DATABASE_URL 环境变量覆盖，此处为占位