fix(backend): relax SSRF validation for loopback in dev, graceful metrics/regexploit fallback

- ip_utils: allow loopback (127.0.0.1) in dev mode (BANGUI_LOG_LEVEL=debug)
  so e2e tests can reach a mock HTTP server on the host
- metrics: make all operations no-ops when prometheus_client not installed
- regex_validator: graceful fallback when regexploit not installed
- geo_cache: use attribute access instead of dict subscript for typed rows
- rate_limit: support bucket_override parameter for per-endpoint rate limits
- ban_service: construct DomainActiveBan explicitly instead of model_copy

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/app/services/geo_cache.py

@@ -299,18 +299,18 @@ class GeoCache:
         count = 0
         cache_entries: list[tuple[str, GeoInfo]] = []
         for row in await geo_cache_repo.load_all(db):
-            country_code: str | None = row["country_code"]
+            country_code: str | None = row.country_code
             if country_code is None:
                 continue
-            ip: str = row["ip"]
+            ip: str = row.ip
             cache_entries.append(
                 (
                     ip,
                     GeoInfo(
                         country_code=country_code,
-                        country_name=row["country_name"],
-                        asn=row["asn"],
-                        org=row["org"],
+                        country_name=row.country_name,
+                        asn=row.asn,
+                        org=row.org,
                     ),
                 )
             )