fix: address review findings for observability PR

1. Security: Replace insecure extractRemoteIP() in audit service with
   middleware.RealIP() which validates trusted proxies before trusting
   X-Real-IP/X-Forwarded-For headers. Export RealIP from middleware.
   Update audit tests to verify anti-spoofing behavior.

2. Audit coverage: Add audit instrumentation to all 9 handlers that
   had dead action constants: HandleEnvVarSave, HandleLabelAdd,
   HandleLabelEdit, HandleLabelDelete, HandleVolumeAdd, HandleVolumeEdit,
   HandleVolumeDelete, HandlePortAdd, HandlePortDelete.

3. README: Fix API path from /api/audit to /api/v1/audit.

4. README: Fix duplicate numbering in DI order section (items 10-11
   were listed twice, now correctly numbered 10-16).

README.md

@@ -67,11 +67,11 @@ Uses Uber fx for dependency injection. Components are wired in this order:
 9. `docker` - Docker client
 10. `notify` - Notification service
 11. `audit` - Audit logging service
-10. `deploy` - Deployment service
-11. `webhook` - Webhook processing
-12. `middleware` - HTTP middleware
-13. `handlers` - HTTP handlers
-14. `server` - HTTP server
+12. `deploy` - Deployment service
+13. `webhook` - Webhook processing
+14. `middleware` - HTTP middleware
+15. `handlers` - HTTP handlers
+16. `server` - HTTP server
 
 ### Request Flow
 
@@ -247,7 +247,7 @@ All user-facing actions are recorded in an `audit_log` SQLite table with:
 Audited actions include login/logout, app CRUD, deployments, container
 start/stop/restart, rollbacks, deployment cancellation, and webhook receipt.
 
-The audit log is available via the API at `GET /api/audit?limit=N` (max 500,
+The audit log is available via the API at `GET /api/v1/audit?limit=N` (max 500,
 default 50).
 
 ### Structured Logging