feat: add security presets and block list recommendations for ACLs

- Add security preset system with curated threat intelligence
  - High-Risk Countries preset (RU, CN, KP, IR, etc.) ~800M IPs
  - Expanded Threat List preset ~1.2B IPs
  - Cloud Scanner IPs preset (Shodan, Censys) ~3K IPs
  - Tor Exit Nodes preset ~1.2K IPs (changes daily)
- Add tooltips linking to data sources (SANS ISC, Spamhaus, Tor Project)
- Add 'Get My IP' button to quickly add current IP to allowlist
- Add IP range calculator showing total IPs covered by rules
- Emphasize block lists over allow lists in UI
  - Renamed UI labels to show 'Recommended' for block lists
  - Added info box explaining why block lists are safer
- Add /system/my-ip API endpoint to fetch user's public IP
  - Handles X-Forwarded-For, X-Real-IP, CF-Connecting-IP headers
  - Returns IP and source (direct, proxy, Cloudflare, etc.)
- Add ARIA attributes to ProxyHosts checkboxes for accessibility

Block lists prevent lockouts while maintaining security by blocking
known threats instead of requiring explicit allow lists that can
inadvertently block legitimate users (especially CGNAT/mobile users).

Note: Bulk delete tests need refinement (event simulation) - tracked
separately.

frontend/src/api/system.ts

@@ -32,3 +32,13 @@ export const markNotificationRead = async (id: string): Promise<void> => {
 export const markAllNotificationsRead = async (): Promise<void> => {
   await client.post('/notifications/read-all');
 };
+
+export interface MyIPResponse {
+  ip: string;
+  source: string;
+}
+
+export const getMyIP = async (): Promise<MyIPResponse> => {
+  const response = await client.get<MyIPResponse>('/system/my-ip');
+  return response.data;
+};