feat: allowed_ips for API keys + webhooks, S3 User-Agent (#282)

[DerDennisOP]

Summary

• Per-API-key allowed_ips (CIDR list) — empty/null = any source.
• Per-inbound-integration allowed_ips for forge_webhook (Gitea/Forgejo/GitLab) and github_app_webhook (per-installation filter).
• S3 object_store client now sends the same User-Agent as the shared reqwest client (Gradient/{version} ...).

Source-IP enforcement applies to:

• Bearer/cookie auth via the main authorize middleware.
• Authorization: Basic auth on cache endpoints.
• ?token= URL parameter flows on badge + entry-point download routes.
• Inbound forge webhooks and GitHub App webhooks.

Closes #282.

Test plan

• core::ip_allowlist unit tests pass (empty list, /32, /24, IPv4-mapped IPv6, malformed entry skipped, normalize bare IP / trim / reject).
• Bearer with allowed_ips=10.0.0.0/8: request from 10.x → 200; request from 8.8.8.8 → 403 forbidden_source_ip.
• Same for cache Basic-auth path.
• Forge webhook with allowed_ips set: in-range source → 200/202; out-of-range → 403 (after signature verification).
• GitHub App webhook: integrations whose allowlist rejects the source IP are silently skipped (rest dispatch normally).
• UI create/edit for an API key and an integration roundtrips allowed_ips correctly (textarea ↔ DB).
• Manual (optional): tcpdump an S3 request and confirm User-Agent: Gradient/....

[DerDennisOP]

/gradient run