Refactor security configuration: Remove external CrowdSec mode support

- Updated SecurityConfig model to only support 'local' or 'disabled' modes for CrowdSec.
- Modified related logic in the manager and services to reject external mode.
- Adjusted tests to validate the new restrictions on CrowdSec modes.
- Updated frontend components to remove references to external mode and provide appropriate user feedback.
- Enhanced documentation to reflect the removal of external CrowdSec mode support.

docs/security.md

@@ -10,8 +10,7 @@ Charon includes the optional Cerberus security suite — a collection of high-va
 **Modes:**
 *   **Local**: Installs the CrowdSec agent *inside* the Charon container. Useful for single-container setups.
     *   *Note*: Increases container startup time and resource usage.
-*   **External**: Connects to an existing CrowdSec agent running elsewhere (e.g., on the host or another container).
-    *   *Recommended* for production or multi-server setups.
+*   **External**: (Deprecated) connections to external CrowdSec agents are no longer supported.
 
 ### 2. WAF (Web Application Firewall)
 Uses [Coraza](https://coraza.io/), a Go-native WAF, with the **OWASP Core Rule Set (CRS)** to protect against common web attacks (SQL Injection, XSS, etc.).
@@ -48,9 +47,7 @@ You can enable or disable Cerberus at runtime via the web UI `System Settings` o
 | :--- | :--- | :--- |
 | `CERBERUS_SECURITY_CROWDSEC_MODE` | `disabled` | (Default) CrowdSec is turned off. (CERBERUS_ preferred; CHARON_/CPM_ still supported) |
 | | `local` | Installs and runs CrowdSec agent inside the container. |
-| | `external` | Connects to an external CrowdSec agent. |
-| `CERBERUS_SECURITY_CROWDSEC_API_URL` | URL | (Required for `external`) e.g., `http://crowdsec:8080` |
-| `CERBERUS_SECURITY_CROWDSEC_API_KEY` | String | (Required for `external`) Your CrowdSec bouncer API key. |
+| | `local` | Installs and runs CrowdSec agent inside the container. |
 
 **Example (Local Mode):**
 ```yaml