Server: Add bot protection middleware

- Global rate limiting (60 requests/minute per IP)
- IP whitelist/blacklist via ALLOWED_IPS and BLOCKED_IPS env vars
- Bot detection - silent 404 for suspicious paths (.env, phpinfo, etc.)
- Path traversal detection
- Reduced noise in logs from bot scanners

server/main.py

@@ -29,6 +29,22 @@ manifest_cache = TTLCache(maxsize=100, ttl=300)
 
 BUILDS_DIR = Path("builds")
 
+# IP Filtering Configuration
+import os
+import middleware as mw
+
+# Configure allowed IPs (empty = allow all, set IPs = only these allowed)
+ALLOWED_IPS = set(os.environ.get("ALLOWED_IPS", "").split(",")) - {""}
+# Configure blocked IPs
+BLOCKED_IPS = set(os.environ.get("BLOCKED_IPS", "").split(",")) - {""}
+
+if ALLOWED_IPS:
+    logger.info(f"IP whitelist enabled: {len(ALLOWED_IPS)} IPs allowed")
+if BLOCKED_IPS:
+    logger.info(f"IP blacklist enabled: {len(BLOCKED_IPS)} IPs blocked")
+
+mw.set_ip_config(allowed=ALLOWED_IPS, blocked=BLOCKED_IPS)
+
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):