fix(security): close XFF bypass and three secret-leak paths

Four fixes hardening the secrets and rate-limit posture a prior audit
left or that regressed:

X-Forwarded-For rate-limit bypass + memory DoS (ratelimit.go): clientIP
returned the raw XFF header, so an attacker rotating it minted unlimited
distinct limiter keys — never tripping the limit and growing the visitors
map without bound. XFF is now honored only when the immediate peer is a
configured trusted proxy (UPTOP_TRUSTED_PROXIES, CIDRs or bare IPs), using
the right-most non-trusted hop; otherwise the key is the real RemoteAddr.
The visitors map is bounded with LRU eviction as defense in depth.

Export redaction denylist -> per-provider allowlist (server.go): the old
six-key denylist missed the actual credentials — the webhook URL for
discord/slack/webhook/ntfy/gotify and api_key for opsgenie — exporting
them in the clear. redactByProvider keeps only known-safe keys per
provider type and redacts everything else, so unknown/new keys fail safe.

ImportData plaintext secrets (sqlstore.go): import inserted raw
json.Marshal(settings), bypassing the encryption AddAlert/UpdateAlert
use. It now routes through marshalSettings, so a restore with
UPTOP_ENCRYPTION_KEY set stores enc:-prefixed ciphertext, not plaintext.

Alert error credential leak (alert.go): provider Send returned the raw
*url.Error, whose URL carries the secret (Telegram bot token in the path,
webhook secrets in the URL); it was persisted to AlertHealth.LastError
and shown in the TUI. sanitizeError strips the URL, keeping the operation
and underlying cause.

Tests cover trusted/untrusted XFF + spoofed-bypass + map bound, the
allowlist per provider, encrypted-on-import round-trip, and URL-stripped
errors. README documents UPTOP_TRUSTED_PROXIES. Full suite green under
-race; golangci-lint clean.

cmd/uptop/main.go

@@ -7,6 +7,7 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net"
 	"net/url"
 	"os"
 	"os/signal"
@@ -85,6 +86,39 @@ func redactDSN(dsn string) string {
 	return u.String()
 }
 
+// parseTrustedProxies turns UPTOP_TRUSTED_PROXIES (comma-separated CIDRs or
+// bare IPs) into networks the rate limiter trusts to set X-Forwarded-For. Bare
+// IPs are treated as single-host ranges. Invalid entries are warned about and
+// skipped, so a typo degrades to "ignore XFF" (safe) rather than aborting boot.
+func parseTrustedProxies(raw string) []*net.IPNet {
+	if strings.TrimSpace(raw) == "" {
+		return nil
+	}
+	var cidrs []*net.IPNet
+	for _, part := range strings.Split(raw, ",") {
+		part = strings.TrimSpace(part)
+		if part == "" {
+			continue
+		}
+		if !strings.Contains(part, "/") {
+			if ip := net.ParseIP(part); ip != nil {
+				bits := 32
+				if ip.To4() == nil {
+					bits = 128
+				}
+				part = fmt.Sprintf("%s/%d", part, bits)
+			}
+		}
+		_, ipnet, err := net.ParseCIDR(part)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "WARNING: ignoring invalid UPTOP_TRUSTED_PROXIES entry %q: %v\n", part, err)
+			continue
+		}
+		cidrs = append(cidrs, ipnet)
+	}
+	return cidrs
+}
+
 func openStore(dbType, dsn string) store.Store {
 	var ss *store.SQLStore
 	var err error
@@ -397,15 +431,16 @@ func runServe(args []string) {
 	tlsKey := os.Getenv("UPTOP_TLS_KEY")
 
 	httpSrv := server.Start(server.ServerConfig{
-		Port:          httpPort,
-		EnableStatus:  enableStatus,
-		Title:         statusTitle,
-		ClusterKey:    clusterKey,
-		TLSCert:       tlsCert,
-		TLSKey:        tlsKey,
-		ClusterMode:   clusterMode,
-		MetricsPublic: os.Getenv("UPTOP_METRICS_PUBLIC") == "true",
-		CORSOrigin:    os.Getenv("UPTOP_CORS_ORIGIN"),
+		Port:           httpPort,
+		EnableStatus:   enableStatus,
+		Title:          statusTitle,
+		ClusterKey:     clusterKey,
+		TLSCert:        tlsCert,
+		TLSKey:         tlsKey,
+		ClusterMode:    clusterMode,
+		MetricsPublic:  os.Getenv("UPTOP_METRICS_PUBLIC") == "true",
+		CORSOrigin:     os.Getenv("UPTOP_CORS_ORIGIN"),
+		TrustedProxies: parseTrustedProxies(os.Getenv("UPTOP_TRUSTED_PROXIES")),
 	}, s, eng)
 
 	cluster.Start(ctx, cluster.Config{