feat(安全): 添加安全开关并完善测试流程

实现安全开关默认关闭与响应头透传逻辑
- URL 校验与响应头过滤支持开关并覆盖流式路径
- 非流式 Content-Type 透传/默认值按配置生效
- 接入 go test、golangci-lint 与前端 lint/typecheck
- 补充相关测试与配置/文档说明

backend/internal/repository/pricing_service.go

@@ -19,12 +19,14 @@ type pricingRemoteClient struct {
 
 func NewPricingRemoteClient(cfg *config.Config) service.PricingRemoteClient {
 	allowPrivate := false
+	validateResolvedIP := true
 	if cfg != nil {
 		allowPrivate = cfg.Security.URLAllowlist.AllowPrivateHosts
+		validateResolvedIP = cfg.Security.URLAllowlist.Enabled
 	}
 	sharedClient, err := httpclient.GetClient(httpclient.Options{
 		Timeout:            30 * time.Second,
-		ValidateResolvedIP: true,
+		ValidateResolvedIP: validateResolvedIP,
 		AllowPrivateHosts:  allowPrivate,
 	})
 	if err != nil {