fix: add missing field handlers in proxy host Update endpoint

Add handlers for enable_standard_headers, forward_auth_enabled, and waf_disabled fields
in the proxy host Update function. These fields were defined in the model but were not
being processed during updates, causing:

- 500 errors when saving proxy host configurations
- Auth pass-through failures for apps like Seerr/Overseerr due to missing X-Forwarded-* headers

Changes:
- backend: Add field handlers for 3 missing fields in proxy_host_handler.go
- backend: Add 5 comprehensive unit tests for field handling
- frontend: Update TypeScript ProxyHost interface with missing fields
- docs: Document fixes in CHANGELOG.md

Tests: All 1147 tests pass (backend 85.6%, frontend 87.7% coverage)
Security: No vulnerabilities (Trivy + govulncheck clean)

Fixes #16 (auth pass-through)
Fixes #17 (500 error on save)

docs/security/websocket-auth-security.md

@@ -15,6 +15,7 @@ wss://example.com/api/v1/logs/live?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
 ```
 
 **Security Risk:**
+
 - Query parameters are logged in web server access logs (Caddy, nginx, Apache, etc.)
 - Tokens appear in proxy logs
 - Tokens may be stored in browser history
@@ -32,6 +33,7 @@ wss://example.com/api/v1/logs/live?source=waf&level=error
 The browser automatically sends the `auth_token` cookie with the WebSocket upgrade request.
 
 **Security Benefits:**
+
 - ✅ HttpOnly cookies are **not logged** by web servers
 - ✅ HttpOnly cookies **cannot be accessed** by JavaScript (XSS protection)
 - ✅ Cookies are **not visible** in browser history
@@ -45,6 +47,7 @@ The browser automatically sends the `auth_token` cookie with the WebSocket upgra
 **Location:** `frontend/src/api/logs.ts`
 
 Removed:
+
 ```typescript
 const token = localStorage.getItem('charon_auth_token');
 if (token) {
@@ -53,6 +56,7 @@ if (token) {
 ```
 
 The browser automatically sends the `auth_token` cookie when establishing WebSocket connections due to:
+
 1. The cookie is set by the backend during login with `HttpOnly`, `Secure`, and `SameSite` flags
 2. The axios client has `withCredentials: true`, enabling cookie transmission
 
@@ -61,6 +65,7 @@ The browser automatically sends the `auth_token` cookie when establishing WebSoc
 **Location:** `backend/internal/api/middleware/auth.go`
 
 Authentication priority order:
+
 1. **Authorization header** (Bearer token) - for API clients
 2. **auth_token cookie** (HttpOnly) - **preferred for browsers and WebSockets**
 3. **token query parameter** - **deprecated**, kept for backward compatibility only
@@ -72,6 +77,7 @@ The query parameter fallback is marked as deprecated and will be removed in a fu
 **Location:** `backend/internal/api/handlers/auth_handler.go`
 
 The `auth_token` cookie is set with security best practices:
+
 - **HttpOnly**: `true` - prevents JavaScript access (XSS protection)
 - **Secure**: `true` (in production with HTTPS) - prevents transmission over HTTP
 - **SameSite**: `Strict` (HTTPS) or `Lax` (HTTP/IP) - CSRF protection
@@ -94,15 +100,19 @@ The `auth_token` cookie is set with security best practices:
 To verify tokens are not logged:
 
 1. **Before the fix:** Check Caddy access logs for token exposure:
+
    ```bash
    docker logs charon 2>&1 | grep "token=" | grep -o "token=[^&]*"
    ```
+
    Would show: `token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...`
 
 2. **After the fix:** Check that WebSocket URLs are clean:
+
    ```bash
    docker logs charon 2>&1 | grep "/logs/live\|/cerberus/logs/ws"
    ```
+
    Shows: `/api/v1/logs/live?source=waf&level=error` (no token)
 
 ## Migration Path
@@ -110,6 +120,7 @@ To verify tokens are not logged:
 ### For Users
 
 No action required. The change is transparent:
+
 - Login sets the HttpOnly cookie
 - WebSocket connections automatically use the cookie
 - Existing sessions continue to work