Update CLAUDE.md and README for revised behavior

Document RateLimit's RemoteAddr-by-default keying and WithTrustedProxies, and
that WithMaxResponseBody returns ErrResponseTooLarge rather than truncating.

CLAUDE.md

@@ -24,7 +24,7 @@ go vet ./...                            # static analysis
 - **Client.Close()** stops the health checker goroutine
 - **Client.Patch()** — PATCH method, same pattern as Put/Post
 - **NewFormRequest** — form-encoded request builder (`application/x-www-form-urlencoded`) with `GetBody` for retry
-- **WithMaxResponseBody** — wraps `resp.Body` with `io.LimitedReader` to prevent OOM
+- **WithMaxResponseBody** — caps `resp.Body` reads; returns `ErrResponseTooLarge` (not silent truncation) when exceeded
 - **middleware.RequestID()** — propagates request ID from context to outgoing `X-Request-Id` header
 - **`internal/requestid`** — shared context key used by both `server` and `middleware` packages to avoid circular imports
 
@@ -37,7 +37,7 @@ go vet ./...                            # static analysis
 - **Defaults()** preset: RequestID → Recovery → Logging + production timeouts
 - **HealthHandler** exposes `GET /healthz` (liveness) and `GET /readyz` (readiness with pluggable checkers)
 - **CORS** middleware — preflight OPTIONS handling, `AllowOrigins`, `AllowMethods`, `AllowHeaders`, `ExposeHeaders`, `AllowCredentials`, `MaxAge`
-- **RateLimit** middleware — per-key token bucket (`sync.Map`), IP from `X-Forwarded-For`, `WithRate`/`WithBurst`/`WithKeyFunc`, uses `internal/clock`
+- **RateLimit** middleware — per-key token bucket (`sync.Map`), keys on `RemoteAddr` by default; `X-Forwarded-For` is honored only via `WithTrustedProxies`; `WithRate`/`WithBurst`/`WithKeyFunc`/`WithMaxKeys`, uses `internal/clock`, idle buckets evicted to bound memory
 - **MaxBodySize** middleware — wraps `r.Body` via `http.MaxBytesReader`
 - **Timeout** middleware — wraps `http.TimeoutHandler`, returns 503
 - **WriteJSON** / **WriteError** — JSON response helpers in `server/respond.go`