fix: P0问题修复 - JWT配置、安全扫描、备份、Runbook

P0 问题修复（按照 gap analysis）：

1. JWT密钥配置修复
   - config.yaml 移除占位符，改为空字符串
   - 添加测试验证 JWT_SECRET 环境变量覆盖功能

2. Docker 部署完善
   - 添加 deploy.resources 限制（内存 512M，CPU 0.5）
   - 添加 healthcheck 健康检查
   - 添加 restart: unless-stopped 重启策略

3. 安全扫描集成
   - 创建 scripts/security/run-gosec.sh 安全扫描脚本
   - 创建 scripts/security/workflow-template.yml CI工作流模板
   - 运行 gosec 扫描发现 6 个 HIGH 级别整数溢出问题

4. 备份自动化
   - 创建 scripts/backup/backup.sh 自动备份脚本
   - 支持 SQLite 数据库和配置文件备份
   - 支持备份验证、自动清理、恢复功能

5. Runbook 文档
   - 创建 docs/runbooks/ 目录
   - 添加 4 个核心 Runbook：服务启动、服务停止、备份恢复、日志分析
   - 添加 README.md 索引文档

scripts/security/workflow-template.yml

@@ -0,0 +1,93 @@
+# Go 安全扫描工作流
+# 集成 gosec 安全扫描
+#
+# 使用方法:
+#   1. 复制此文件到 .github/workflows/security.yml
+#   2. 或适配到 Gitea Actions
+#   3. 或手动运行: ./scripts/security/run-gosec.sh
+
+name: Security Scan
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 2 * * *'  # 每周凌晨2点运行
+
+jobs:
+  gosec:
+    name: Go Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+      - name: Run gosec
+        run: |
+          gosec -fmt json -out=gosec-report.json ./...
+
+      - name: Upload security report
+        uses: actions/upload-artifact@v4
+        with:
+          name: gosec-report
+          path: gosec-report.json
+
+      - name: Display results
+        run: |
+          if [ -f gosec-report.json ]; then
+            echo "Security issues found:"
+            cat gosec-report.json | jq -r '.Results[] | "\(.Severity): \(.Details)"' 2>/dev/null || cat gosec-report.json
+          fi
+
+  govulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Run govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+
+  npm-audit:
+    name: NPM Audit
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend/admin
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/admin/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run npm audit
+        run: npm audit --audit-level=moderate