docs(bunny): document IP header trust assumptions and security considerations

[Copilot]

Added documentation clarifying that the Bunny.net adapter assumes the platform filters x-forwarded-for and x-real-ip headers to prevent IP spoofing, but this has not been verified against official documentation.

Changes:

• Added inline comment in src/adapters/bunny.ts explaining IP header trust assumptions
• Documented comparison to similar edge runtimes (Cloudflare's cf-connecting-ip)
• Added warning to verify behavior before security-critical use (rate limiting, access control)

// IP address from Bunny headers
// Note: This implementation assumes Bunny.net Edge Scripting filters and sets
// x-forwarded-for and x-real-ip headers to prevent IP spoofing. While this
// follows the pattern used in similar edge runtimes (like Cloudflare with
// cf-connecting-ip), we have not verified this behavior in Bunny.net's
// official documentation. Users should verify that Bunny.net's infrastructure
// properly sanitizes these headers before relying on them for security-critical
// purposes such as rate limiting or access control.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.bunny.net
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• support.bunny.net
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• www.npmjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)