fix(rate-limit): prevent X-Forwarded-For spoof bypass

[liu971227-sys]

Summary\n- harden client_ip_from_request() against X-Forwarded-For spoofing\n- when request comes from trusted proxy, resolve client IP from right-to-left chain and select first non-trusted hop\n- ignore invalid XFF hops and fall back safely to

emote_addr\n- add regression tests for spoofed left-most XFF and untrusted-remote behavior\n\n## Why\nCurrent behavior trusts the first XFF hop when request arrives via trusted proxy.\nWith common proxy append behavior, attacker-controlled left-most values can bypass IP-based anti-abuse controls (including attestation IP rate limiting).\n\n## Test\n- python -m py_compile node/rustchain_v2_integrated_v2.2.1_rip200.py\n- python -m pytest tests/test_api.py -q\n\n## Related\n- rustchain-bounties#57

[liu971227-sys]

Review Tier Label Gate is failing only due to missing BCOS tier label on this non-doc PR.\n\nThis is a focused API security hardening fix (XFF spoof -> rate-limit bypass), so BCOS-L1 seems appropriate.\n\nCould a maintainer add BCOS-L1 (or �cos:l1) and re-run checks?