fix: make Arcane reverse-proxy aware to resolve connection issues

[kmendell]

Checklist

• This PR is not opened from my fork’s main branch

What This PR Implements

Fixes: #2661

Changes Made

Testing Done

• Development environment started: ./scripts/development/dev.sh start
• Frontend verified at http://localhost:3000
• Backend verified at http://localhost:3552
• Manual testing completed (describe):
• No linting errors (e.g., just lint all)
• Backend tests pass: just test backend

AI Tool Used (if applicable)

AI Tool:
Assistance Level:
What AI helped with:
I reviewed and edited all AI-generated output:
I ran all required tests and manually verified changes:

Additional Context

Disclaimer Greptiles Reviews use AI, make sure to check over its work.

To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike

To have Greptile Re-Review the changes, mention greptileai.

Greptile Summary

This PR makes Arcane reverse-proxy aware by introducing a TRUSTED_PROXIES-gated middleware that propagates the HTTPS scheme decision via request context so cookie names (__Host-token vs token), Secure flags, and clear directives all round-trip correctly through an HTTPS reverse proxy. It also adds a WebSocket ping/pong heartbeat to prevent idle connections from being silently dropped by upstream proxies.

• Cookie scheme detection is moved from raw X-Forwarded-Proto inspection to a context key populated by secureCookieContextMiddlewareInternal, which checks that the direct TCP peer falls within TRUSTED_PROXIES before trusting the header — untrusted clients cannot spoof the flag.
• Auto-proxy defaults: when LISTEN is bound to an explicit loopback IP literal, TRUSTED_PROXIES is auto-set to loopback CIDRs so the typical Caddy/Nginx/Traefik setup works without manual configuration.
• WebSocket heartbeat: forwardAgentToClient now sends a ping every 54 s and closes the stream if no pong arrives within 60 s, with properly scoped write deadlines (1 s for ping frames, 10 s for data frames).

Confidence Score: 5/5

Safe to merge; the trust-gating logic correctly validates the TCP peer before honoring X-Forwarded-Proto, and both cookie set and clear paths now use consistent names for the secure context.

The core security property — that untrusted clients cannot force __Host-token / Secure cookies by forging X-Forwarded-Proto — is enforced at the middleware layer against req.RemoteAddr, which cannot be spoofed by application-level headers. Cookie name selection and clear directives are now symmetric. The only finding is a naming-convention nit on the new applyProxyDefaults helper.

No files require special attention beyond the minor naming convention issue in backend/internal/config/config.go.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
backend/internal/config/config.go:136
The new `applyProxyDefaults` function is unexported but lacks the `Internal` suffix required by the project's naming rule for private helpers. All other new private helpers in this PR follow the convention (`parseTrustedProxyCIDRsInternal`, `secureCookieContextMiddlewareInternal`, `remoteAddrInTrustedProxiesInternal`, `buildClearTokenCookieStringInternal`).

```suggestion
func applyProxyDefaultsInternal(cfg *Config) {
```

_{Reviews (3): Last reviewed commit: "fix: make Arcane reverse-proxy aware to ..." | Re-trigger Greptile}

Context used:

• Rule used - What: All unexported functions must have the "Inte... (source)

[kmendell]

• fix: make Arcane reverse-proxy aware to resolve connection issues #2717 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[getarcaneappbot]

Container images for this PR have been built successfully!

• Manager: ghcr.io/getarcaneapp/manager:pr-2717
• Agent: ghcr.io/getarcaneapp/agent:pr-2717

Built from commit 0e5c58c