fix: 修复 P0 安全和并发问题

- 修复敏感信息泄露：移除 Drive API 完整响应体打印，只记录状态码
- 修复并发安全问题：升级为 RWMutex，读写分离提升性能
- 修复资源泄漏风险：使用 defer 确保 resp.Body 正确关闭

backend/internal/pkg/geminicli/drive_client.go

@@ -94,10 +94,12 @@ func (c *driveClient) GetStorageQuota(ctx context.Context, accessToken, proxyURL
 			resp.StatusCode == http.StatusInternalServerError ||
 			resp.StatusCode == http.StatusBadGateway ||
 			resp.StatusCode == http.StatusServiceUnavailable) && attempt < maxRetries-1 {
-			_ = resp.Body.Close()
+			if err := func() error {
-			backoff := time.Duration(1<<uint(attempt)) * time.Second
+				defer func() { _ = resp.Body.Close() }()
-			jitter := time.Duration(rng.Intn(1000)) * time.Millisecond
+				backoff := time.Duration(1<<uint(attempt)) * time.Second
-			if err := sleepWithContext(backoff + jitter); err != nil {
+				jitter := time.Duration(rng.Intn(1000)) * time.Millisecond
+				return sleepWithContext(backoff + jitter)
+			}(); err != nil {
 				return nil, fmt.Errorf("request cancelled: %w", err)
 			}
 			continue

backend/internal/service/ratelimit_service.go

@@ -18,7 +18,7 @@ type RateLimitService struct {
 	usageRepo          UsageLogRepository
 	cfg                *config.Config
 	geminiQuotaService *GeminiQuotaService
-	usageCacheMu       sync.Mutex
+	usageCacheMu       sync.RWMutex
 	usageCache         map[int64]*geminiUsageCacheEntry
 }
 
@@ -138,8 +138,8 @@ func (s *RateLimitService) PreCheckUsage(ctx context.Context, account *Account,
 }
 
 func (s *RateLimitService) getGeminiUsageTotals(accountID int64, windowStart, now time.Time) (GeminiUsageTotals, bool) {
-	s.usageCacheMu.Lock()
+	s.usageCacheMu.RLock()
-	defer s.usageCacheMu.Unlock()
+	defer s.usageCacheMu.RUnlock()
 
 	if s.usageCache == nil {
 		return GeminiUsageTotals{}, false