Refactor backend configuration and authentication

- Add comprehensive documentation for backend development
- Improve client IP detection with utility functions and tests
- Update auth router with better error handling
- Refactor config module with environment-based settings

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/app/routers/auth.py

@@ -41,10 +41,6 @@ log: structlog.stdlib.BoundLogger = structlog.get_logger()
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
-# Trusted proxy IPs that can set X-Forwarded-For header.
-# By default, none are trusted. In production behind nginx, add the nginx container IP.
-_TRUSTED_PROXIES: list[str] = []
-
 
 @router.post(
     "/login",
@@ -73,7 +69,7 @@ async def login(
         response: FastAPI response object used to set the cookie.
         request: The incoming HTTP request (used to extract client IP).
         session_ctx: Session service context containing db and repository.
-        settings: Application settings (used for session duration).
+        settings: Application settings (used for session duration and trusted proxies).
         rate_limiter: The login rate limiter (per IP).
 
     Returns:
@@ -83,7 +79,7 @@ async def login(
         AuthenticationError: if the password is incorrect.
         RateLimitError: if the rate limit is exceeded.
     """
-    client_ip = get_client_ip(request, trusted_proxies=_TRUSTED_PROXIES)
+    client_ip = get_client_ip(request, trusted_proxies=settings.trusted_proxies)
 
     if not rate_limiter.is_allowed(client_ip):
         log.warning("login_rate_limit_exceeded", client_ip=client_ip)