fix(compose): plumb TRUST_PROXY + ALLOWED_ORIGINS through to mam-api container

Task 18 documented the two new env vars in .env.example and README but never
added them to docker-compose.yml's mam-api environment block. Without that,
the vars in .env never reach the container — so AUTH_ENABLED=true was running
with effective TRUST_PROXY=false (req.ip = proxy IP, rate-limit collapses to
per-proxy bucket) and ALLOWED_ORIGINS unset (CORS allows any origin).

docker-compose.yml

@@ -55,6 +55,8 @@ services:
       S3_REGION: ${S3_REGION:-us-east-1}
       SESSION_SECRET: ${SESSION_SECRET}
       AUTH_ENABLED: ${AUTH_ENABLED:-false}
+      TRUST_PROXY: ${TRUST_PROXY:-false}
+      ALLOWED_ORIGINS: ${ALLOWED_ORIGINS:-}
       DOCKER_NETWORK: wild-dragon_wild-dragon
       NODE_IP: ${NODE_IP}
       NODE_HOSTNAME: ${NODE_HOSTNAME:-}