fix: enforce aggregation confidence floor minimum

[mijinummi]

PR Description

Closes #212, Closes #211

Implemented protocol-level aggregation confidence floor enforcement to ensure all resolution outputs maintain a minimum confidence score of 0.5 as required by audit findings. Added centralized confidence normalization utilities, invariant-safe aggregation handling, and comprehensive unit tests covering low-confidence, invalid, and edge-case scenarios to prevent regressions and preserve protocol integrity.

✅ Added IP resolution utility

• Introduced resolveClientIp() to standardize IP extraction

• Supports:

  • x-forwarded-for proxy chains
  • socket.remoteAddress
  • req.ip

• Handles local environments:

  • 127.0.0.1 → local
  • ::1 → local

• Falls back to "unknown" when missing

---

✅ Updated audit middleware

• Ensures all audit events include a normalized ipAddress
• Attaches structured auditContext to request lifecycle

---

✅ Strengthened audit invariants

• Added guard in writeAuditLog
• Prevents invalid audit writes where ipAddress is empty or non-string

---

✅ Added test coverage

• IP resolution edge cases:

  • Proxy headers
  • IPv4 / IPv6 local loopback
  • Missing request metadata

• Audit invariant validation:

  • Rejects invalid IP entries
  • Accepts valid normalized values

---

🧪 Test Coverage

• ✔ Proxy forwarding behavior
• ✔ Localhost normalization (IPv4/IPv6)
• ✔ Missing request fallback handling
• ✔ Audit invariant enforcement

---

🔐 Security / Integrity Notes

• Prevents null/undefined IP propagation into audit logs
• Improves traceability for internal/local traffic
• Reduces risk of malformed audit records affecting compliance pipelines

---

⚠️ Risk Assessment

Low risk

• Purely additive normalization layer
• No changes to external API contracts
• Backward-compatible behavior preserved

---

📦 Files Affected

• src/utils/ipAddress.ts
• src/middleware/auditMiddleware.ts
• src/audit/auditLogger.ts
• src/utils/ipAddress.test.ts
• src/audit/auditLogger.test.ts