feat(安全): 添加安全开关并完善测试流程

实现安全开关默认关闭与响应头透传逻辑
- URL 校验与响应头过滤支持开关并覆盖流式路径
- 非流式 Content-Type 透传/默认值按配置生效
- 接入 go test、golangci-lint 与前端 lint/typecheck
- 补充相关测试与配置/文档说明

deploy/config.example.yaml

@@ -37,6 +37,8 @@ cors:
 # =============================================================================
 security:
   url_allowlist:
+    # Enable URL allowlist validation (disable to skip all URL checks)
+    enabled: false
     # Allowed upstream hosts for API proxying
     upstream_hosts:
       - "api.openai.com"
@@ -55,6 +57,8 @@ security:
     # Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
     allow_private_hosts: false
   response_headers:
+    # Enable response header filtering (disable to pass through upstream headers)
+    enabled: false
     # Extra allowed response headers from upstream
     additional_allowed: []
     # Force-remove response headers from upstream