fix: resolve 13 release-consistency findings

Documentation:
- Fix CI badge href to /actions (was 404 on Gitea)
- Add UPTOP_METRICS_PUBLIC + UPTOP_MAINT_RETENTION to README env table
- Link maintenance retention to env var name in data retention section
- Note metrics auth requirement in features list
- Fix clustering.md: fail-closed wording, mark AGG_STRATEGY/NODE_REGION optional
- Fix .env.example: wording (no .env loader), add TRUSTED_PROXIES + MAINT_RETENTION
- Add CLI help/usage with subcommand listing, accept serve/help/-h/-version

Docker/deploy:
- Add EXPOSE 8080 to Dockerfile
- Remove dead LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND env
- Exempt /api/health from cluster auth (fixes Docker HEALTHCHECK 401)
- Add sysctls for unprivileged ping to all compose files

Cosmetic:
- Fix bug_report.yaml: SemVer placeholder, remove nonexistent serve subcommand

.env.example

@@ -1,5 +1,5 @@
 # ─── uptop configuration ───────────────────────────────────
-# Copy to .env and edit. Only uncomment what you need.
+# Export in your environment or pass via docker run --env-file.\n# Only uncomment what you need.
 
 # ─── Core ──────────────────────────────────────────────────
 UPTOP_PORT=23234              # SSH server port
@@ -40,3 +40,5 @@ UPTOP_DB_DSN=/data/uptop.db   # File path (SQLite) or connection string (Postgre
 # UPTOP_ALLOW_PRIVATE_TARGETS=false    # Allow monitoring RFC1918/loopback addresses
 # UPTOP_METRICS_PUBLIC=false           # Expose /metrics without auth
 # UPTOP_CORS_ORIGIN=                   # Access-Control-Allow-Origin for /status/json
+# UPTOP_TRUSTED_PROXIES=              # Comma-separated CIDRs/IPs for X-Forwarded-For trust
+# UPTOP_MAINT_RETENTION=168h           # How long ended maintenance windows are kept