feat(saas): add trusted_proxies config for reverse proxy rate limiting

- Add trusted_proxies field to ServerConfig (Vec<String>, serde default)
- Default value is empty vector (no proxy trust until explicitly configured)
- Development config: trust localhost IPs (127.0.0.1, ::1)
- Production config: placeholder localhost IPs with comment to replace

config/saas-development.toml

@@ -5,6 +5,7 @@
 host = "0.0.0.0"
 port = 8080
 cors_origins = []  # 空 = 开发模式允许所有来源
+trusted_proxies = ["127.0.0.1", "::1"]
 
 [database]
 url = "postgres://postgres:123123@localhost:5432/zclaw"

config/saas-production.toml

@@ -6,6 +6,7 @@ host = "0.0.0.0"
 port = 8080
 # 生产环境必须配置 CORS 白名单
 cors_origins = ["https://admin.zclaw.ai", "https://zclaw.ai"]
+trusted_proxies = ["127.0.0.1", "::1"]  # 替换为实际代理 IP
 
 [database]
 # 生产环境通过 ZCLAW_DATABASE_URL 环境变量覆盖，此处为占位

crates/zclaw-saas/src/config.rs

@@ -59,6 +59,10 @@ pub struct ServerConfig {
     pub port: u16,
     #[serde(default)]
     pub cors_origins: Vec<String>,
+    /// 可信反向代理 IP 列表。仅对来自这些 IP 的请求解析 X-Forwarded-For 头。
+    /// 生产环境应为 Nginx/Caddy 的实际 IP，如 ["127.0.0.1", "10.0.0.1"]
+    #[serde(default)]
+    pub trusted_proxies: Vec<String>,
 }
 
 /// 数据库配置
@@ -151,6 +155,7 @@ impl Default for ServerConfig {
             host: default_host(),
             port: default_port(),
             cors_origins: Vec::new(),
+            trusted_proxies: vec![],
         }
     }
 }