perf: scale workers + per-tablet rate limiting for 20 concurrent users

The default 2-worker gunicorn could only serve 2 concurrent tablet requests,
queueing the rest, and the rate limiter saw every tablet as the same Nginx
container IP, so 20 users would have collectively burned through the
100 req/min general bucket.

- gunicorn: 5 workers x 4 gthread, --forwarded-allow-ips=*, access log
- uvicorn: 4 workers, --proxy-headers, --forwarded-allow-ips=*
- RateLimitMiddleware: resolve real client IP from
  X-Forwarded-For -> X-Real-IP -> request.client.host
- Bump rate_limit_general 100 -> 300 req/min/IP (per tablet now)
- Flask: ProxyFix(x_for=1, x_proto=1, x_host=1) so request.remote_addr
  is the tablet IP, not the Nginx IP
- APIClient: forward X-Forwarded-For + X-Real-IP to FastAPI for both
  JSON and multipart/files calls; safe no-op outside request context
- 12 new tests (7 server + 5 client) covering header precedence,
  forwarding behavior and ProxyFix install

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

client/app.py

@@ -6,6 +6,7 @@ from flask import Flask, redirect, url_for, session, request
 from flask_babel import Babel
 from flask_wtf.csrf import CSRFProtect
 from markupsafe import Markup
+from werkzeug.middleware.proxy_fix import ProxyFix
 
 from config import Config
 
@@ -26,6 +27,11 @@ def create_app() -> Flask:
     app = Flask(__name__)
     app.config.from_object(Config)
 
+    # Trust one reverse-proxy hop (Nginx in dev, Traefik in prod) so that
+    # request.remote_addr returns the real tablet IP rather than the proxy IP.
+    # The APIClient forwards that IP to FastAPI for accurate rate limiting.
+    app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
+
     # Initialize CSRF protection
     csrf = CSRFProtect(app)