feat(安全): 添加安全开关并完善测试流程

实现安全开关默认关闭与响应头透传逻辑
- URL 校验与响应头过滤支持开关并覆盖流式路径
- 非流式 Content-Type 透传/默认值按配置生效
- 接入 go test、golangci-lint 与前端 lint/typecheck
- 补充相关测试与配置/文档说明

backend/internal/service/pricing_service.go

@@ -409,6 +409,9 @@ func (s *PricingService) fetchRemoteHash() (string, error) {
 }
 
 func (s *PricingService) validatePricingURL(raw string) (string, error) {
+	if s.cfg != nil && !s.cfg.Security.URLAllowlist.Enabled {
+		return strings.TrimSpace(raw), nil
+	}
 	normalized, err := urlvalidator.ValidateHTTPSURL(raw, urlvalidator.ValidationOptions{
 		AllowedHosts:     s.cfg.Security.URLAllowlist.PricingHosts,
 		RequireAllowlist: true,