fix(rate-limit): only trust X-Forwarded-For from known reverse proxies

Without this guard any client could send X-Forwarded-For: <spoofed-ip>
and bypass per-IP rate limiting entirely.

Also switches expireAfterWrite → expireAfterAccess so the 1-minute
window starts at first request, not last, and fixes the .gitignore
entry that accidentally merged **/test-results/ and .worktrees/ into
one broken pattern.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -11,4 +11,5 @@ gitea/
 scripts/large-data.sql
 
 .vitest-attachments
-**/test-results/.worktrees/
+**/test-results/
+.worktrees/