feat(安全): 强化安全策略与配置校验

- 增加 CORS/CSP/安全响应头与代理信任配置

- 引入 URL 白名单与私网开关，校验上游与价格源

- 改善 API Key 处理与网关错误返回

- 管理端设置隐藏敏感字段并优化前端提示

- 增加计费熔断与相关配置示例

测试: go test ./...

frontend/src/api/admin/settings.ts

@@ -26,14 +26,37 @@ export interface SystemSettings {
   smtp_host: string
   smtp_port: number
   smtp_username: string
-  smtp_password: string
+  smtp_password_configured: boolean
   smtp_from_email: string
   smtp_from_name: string
   smtp_use_tls: boolean
   // Cloudflare Turnstile settings
   turnstile_enabled: boolean
   turnstile_site_key: string
-  turnstile_secret_key: string
+  turnstile_secret_key_configured: boolean
+}
+
+export interface UpdateSettingsRequest {
+  registration_enabled?: boolean
+  email_verify_enabled?: boolean
+  default_balance?: number
+  default_concurrency?: number
+  site_name?: string
+  site_logo?: string
+  site_subtitle?: string
+  api_base_url?: string
+  contact_info?: string
+  doc_url?: string
+  smtp_host?: string
+  smtp_port?: number
+  smtp_username?: string
+  smtp_password?: string
+  smtp_from_email?: string
+  smtp_from_name?: string
+  smtp_use_tls?: boolean
+  turnstile_enabled?: boolean
+  turnstile_site_key?: string
+  turnstile_secret_key?: string
 }
 
 /**
@@ -50,7 +73,7 @@ export async function getSettings(): Promise<SystemSettings> {
  * @param settings - Partial settings to update
  * @returns Updated settings
  */
-export async function updateSettings(settings: Partial<SystemSettings>): Promise<SystemSettings> {
+export async function updateSettings(settings: UpdateSettingsRequest): Promise<SystemSettings> {
   const { data } = await apiClient.put<SystemSettings>('/admin/settings', settings)
   return data
 }