merge: 合并远程分支并修复代码冲突

合并了远程分支 cb72262 的功能更新，同时保留了 ESLint 修复：

**冲突解决详情：**

1. AccountTableFilters.vue
   - ✅ 保留 emit 模式修复（避免 vue/no-mutating-props 错误）
   - ✅ 添加第三个筛选器 type（账户类型）
   - ✅ 新增 antigravity 平台和 inactive 状态选项

2. UserBalanceModal.vue
   - ✅ 保留 console.error 错误日志
   - ✅ 添加输入验证（金额校验、余额不足检查）
   - ✅ 使用 appStore.showError 向用户显示友好错误

3. AccountsView.vue
   - ✅ 保留所有 console.error 错误日志（避免 no-empty 错误）
   - ✅ 使用新 API：clearRateLimit 和 setSchedulable

4. UsageView.vue
   - ✅ 添加 console.error 错误日志
   - ✅ 添加图表功能（模型分布、使用趋势）
   - ✅ 添加粒度选择（按天/按小时）
   - ✅ 保留 XLSX 动态导入优化

**测试结果：**
- ✅ Go tests: PASS
- ✅ golangci-lint: 0 issues
- ✅ ESLint: 0 errors
- ✅ TypeScript: PASS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/internal/config/config.go

@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"log"
+	"os"
 	"strings"
 	"time"
 
@@ -17,7 +18,7 @@ const (
 	RunModeSimple   = "simple"
 )
 
-const DefaultCSPPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+const DefaultCSPPolicy = "default-src 'self'; script-src 'self' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-src https://challenges.cloudflare.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
 
 // 连接池隔离策略常量
 // 用于控制上游 HTTP 连接池的隔离粒度，影响连接复用和资源消耗
@@ -338,8 +339,19 @@ func NormalizeRunMode(value string) string {
 func Load() (*Config, error) {
 	viper.SetConfigName("config")
 	viper.SetConfigType("yaml")
+
+	// Add config paths in priority order
+	// 1. DATA_DIR environment variable (highest priority)
+	if dataDir := os.Getenv("DATA_DIR"); dataDir != "" {
+		viper.AddConfigPath(dataDir)
+	}
+	// 2. Docker data directory
+	viper.AddConfigPath("/app/data")
+	// 3. Current directory
 	viper.AddConfigPath(".")
+	// 4. Config subdirectory
 	viper.AddConfigPath("./config")
+	// 5. System config directory
 	viper.AddConfigPath("/etc/sub2api")
 
 	// 环境变量支持
@@ -372,13 +384,13 @@ func Load() (*Config, error) {
 	cfg.Security.ResponseHeaders.ForceRemove = normalizeStringSlice(cfg.Security.ResponseHeaders.ForceRemove)
 	cfg.Security.CSP.Policy = strings.TrimSpace(cfg.Security.CSP.Policy)
 
-	if cfg.Server.Mode != "release" && cfg.JWT.Secret == "" {
+	if cfg.JWT.Secret == "" {
 		secret, err := generateJWTSecret(64)
 		if err != nil {
 			return nil, fmt.Errorf("generate jwt secret error: %w", err)
 		}
 		cfg.JWT.Secret = secret
-		log.Println("Warning: JWT secret auto-generated for non-release mode. Do not use in production.")
+		log.Println("Warning: JWT secret auto-generated. Consider setting a fixed secret for production.")
 	}
 
 	if err := cfg.Validate(); err != nil {
@@ -392,7 +404,7 @@ func Load() (*Config, error) {
 		log.Println("Warning: security.response_headers.enabled=false; configurable header filtering disabled (default allowlist only).")
 	}
 
-	if cfg.Server.Mode != "release" && cfg.JWT.Secret != "" && isWeakJWTSecret(cfg.JWT.Secret) {
+	if cfg.JWT.Secret != "" && isWeakJWTSecret(cfg.JWT.Secret) {
 		log.Println("Warning: JWT secret appears weak; use a 32+ character random secret in production.")
 	}
 	if len(cfg.Security.ResponseHeaders.AdditionalAllowed) > 0 || len(cfg.Security.ResponseHeaders.ForceRemove) > 0 {
@@ -549,17 +561,6 @@ func setDefaults() {
 }
 
 func (c *Config) Validate() error {
-	if c.Server.Mode == "release" {
-		if c.JWT.Secret == "" {
-			return fmt.Errorf("jwt.secret is required in release mode")
-		}
-		if len(c.JWT.Secret) < 32 {
-			return fmt.Errorf("jwt.secret must be at least 32 characters")
-		}
-		if isWeakJWTSecret(c.JWT.Secret) {
-			return fmt.Errorf("jwt.secret is too weak")
-		}
-	}
 	if c.JWT.ExpireHour <= 0 {
 		return fmt.Errorf("jwt.expire_hour must be positive")
 	}