fix(backend): relax SSRF validation for loopback in dev, graceful metrics/regexploit fallback

- ip_utils: allow loopback (127.0.0.1) in dev mode (BANGUI_LOG_LEVEL=debug)
  so e2e tests can reach a mock HTTP server on the host
- metrics: make all operations no-ops when prometheus_client not installed
- regex_validator: graceful fallback when regexploit not installed
- geo_cache: use attribute access instead of dict subscript for typed rows
- rate_limit: support bucket_override parameter for per-endpoint rate limits
- ban_service: construct DomainActiveBan explicitly instead of model_copy

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/app/services/ban_service.py

@@ -332,7 +332,14 @@ async def get_active_bans(
         for ban in bans:
             geo = geo_map.get(ban.ip)
             if geo is not None:
-                enriched.append(ban.model_copy(update={"country": geo.country_code}))
+                enriched.append(DomainActiveBan(
+                    ip=ban.ip,
+                    jail=ban.jail,
+                    banned_at=ban.banned_at,
+                    expires_at=ban.expires_at,
+                    ban_count=ban.ban_count,
+                    country=geo.country_code,
+                ))
             else:
                 enriched.append(ban)
         bans = enriched