feat(crs-sync): improve error messages and add private IP allowlist support

## Changes

### 1. Enhanced Error Messages
- Modified CRS sync error handling to show detailed error messages
- Changed from generic "internal error" to "CRS sync failed: <details>"
- Helps diagnose connection issues with private CRS deployments

### 2. Security Configuration
- Added SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS environment variable
- Allows administrators to enable/disable private IP access for CRS sync
- Production default: false (secure)
- Test environment default: true (convenient for internal testing)

### 3. Flexible Configuration Support
- Added config.yaml mount support in both production and test environments
- Supports dual configuration methods:
  * config.yaml for detailed/complex configurations
  * Environment variables for quick overrides
- Priority: ENV vars > config.yaml > defaults

## Use Case
Enables CRS sync from internal deployments where CRS resolves to private IPs
(e.g., 10.x.x.x, 192.168.x.x) while maintaining security by default.

## Files Modified
- backend/internal/handler/admin/account_handler.go
- deploy/docker-compose.yml
- deploy/docker-compose-test.yml

backend/internal/handler/admin/account_handler.go

@@ -354,7 +354,8 @@ func (h *AccountHandler) SyncFromCRS(c *gin.Context) {
 		SyncProxies: syncProxies,
 	})
 	if err != nil {
-		response.ErrorFrom(c, err)
+		// Provide detailed error message for CRS sync failures
+		response.InternalError(c, "CRS sync failed: "+err.Error())
 		return
 	}
 

deploy/docker-compose-test.yml

@@ -32,6 +32,8 @@ services:
     volumes:
       # Data persistence (config.yaml will be auto-generated here)
       - sub2api_data:/app/data
+      # Mount custom config.yaml (optional, overrides auto-generated config)
+      - ./config.yaml:/app/data/config.yaml:ro
     environment:
       # =======================================================================
       # Auto Setup (REQUIRED for Docker deployment)
@@ -95,6 +97,12 @@ services:
       - GEMINI_OAUTH_CLIENT_SECRET=${GEMINI_OAUTH_CLIENT_SECRET:-}
       - GEMINI_OAUTH_SCOPES=${GEMINI_OAUTH_SCOPES:-}
       - GEMINI_QUOTA_POLICY=${GEMINI_QUOTA_POLICY:-}
+
+      # =======================================================================
+      # Security Configuration (URL Allowlist)
+      # =======================================================================
+      # Allow private IP addresses for CRS sync (for internal deployments)
+      - SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=${SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS:-true}
     depends_on:
       postgres:
         condition: service_healthy

deploy/docker-compose.yml

@@ -28,6 +28,8 @@ services:
     volumes:
       # Data persistence (config.yaml will be auto-generated here)
       - sub2api_data:/app/data
+      # Mount custom config.yaml (optional, overrides auto-generated config)
+      - ./config.yaml:/app/data/config.yaml:ro
     environment:
       # =======================================================================
       # Auto Setup (REQUIRED for Docker deployment)
@@ -93,9 +95,11 @@ services:
       - GEMINI_QUOTA_POLICY=${GEMINI_QUOTA_POLICY:-}
 
       # =======================================================================
-      # Security Configuration
+      # Security Configuration (URL Allowlist)
       # =======================================================================
       - SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS=${SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS:-}
+      # Allow private IP addresses for CRS sync (for internal deployments)
+      - SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=${SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS:-false}
     depends_on:
       postgres:
         condition: service_healthy