Staging IP whitelist: proxy protocol + Traefik middleware

- Hetzner LB: proxy protocol enabled on port 80+443
- Traefik: proxyProtocol.trustedIPs includes LB public IP (46.225.37.135)
- Middleware in docfast-staging + snapapi-staging: allows only 178.115.247.134
- Documented in k3s-infra skill for future projects
- DaemonSet updateStrategy note: helm resets maxUnavailable

skills/k3s-infra/SKILL.md

@@ -242,3 +242,38 @@ See `projects/business/memory/infrastructure.md` for full roadmap.
 - DNS: staging.docfast.dev
 - Persist HA constraints as infra-as-code
 - Decommission old server
+
+## Staging IP Whitelist
+
+All staging environments are IP-whitelisted to the openclaw-vm public IP only.
+
+**How it works:**
+- Hetzner LB has proxy protocol enabled (both port 80 and 443)
+- Traefik configured with `proxyProtocol.trustedIPs` for the LB IP (46.225.37.135/32) and private network (10.0.0.0/8)
+- Traefik Middleware `staging-ipwhitelist` in each staging namespace allows only 178.115.247.134/32
+- Middleware attached to staging ingresses via annotation `traefik.ingress.kubernetes.io/router.middlewares`
+
+**For new projects:**
+1. Create middleware in the staging namespace:
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: staging-ipwhitelist
+  namespace: <project>-staging
+spec:
+  ipAllowList:
+    sourceRange:
+      - 178.115.247.134/32
+```
+2. Annotate the staging ingress:
+```
+traefik.ingress.kubernetes.io/router.middlewares: <project>-staging-staging-ipwhitelist@kubernetescrd
+```
+
+**Traefik Helm config (managed via `helm upgrade`):**
+- `additionalArguments`: proxyProtocol.trustedIPs for web + websecure entrypoints
+- `logs.access.enabled=true` for debugging
+- DaemonSet updateStrategy must be patched to `maxUnavailable: 1` after each helm upgrade (helm resets it)
+
+**Note:** If openclaw-vm's public IP changes, update ALL staging-ipwhitelist middlewares.