Auth fixes, show correct cost each value on pos

inventory-server/src/server.js

@@ -78,6 +78,12 @@ requiredDirs.forEach((dir) => {
 
 const app = express();
 
+// Trust X-Forwarded-* only when the immediate hop is loopback (Caddy on the same
+// host). Anything stricter would leave req.ip as 127.0.0.1; anything looser would
+// let arbitrary clients spoof their source IP via X-Forwarded-For. Required for
+// the KIOSK_IPS bypass in shared/auth/middleware.js to match real client IPs.
+app.set('trust proxy', 'loopback');
+
 // Phase 6.5/6.9: structured access log (replaces the previous header-dumping debug
 // middleware that wrote raw Authorization values to stdout). Pino redaction strips
 // `authorization` and `cookie` automatically — see shared/logging/logger.js.