fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.

internal/api/middleware/cors.go

@@ -10,11 +10,22 @@ import (
 )
 
 var corsConfig = config.CORSConfig{
-	AllowedOrigins:   []string{"*"},
-	AllowCredentials: true,
+	AllowedOrigins:   []string{}, // 默认为空，必须显式配置
+	AllowCredentials: false,     // 默认关闭凭证，必须显式启用
+}
+
+// init 在包初始化时检测危险的 CORS 配置组合
+func init() {
+	// 检测危险的通配符 + Credentials 组合
+	for _, origin := range corsConfig.AllowedOrigins {
+		if origin == "*" && corsConfig.AllowCredentials {
+			panic("CORS 配置错误: AllowedOrigins 包含 '*' 且 AllowCredentials 为 true 是危险组合")
+		}
+	}
 }
 
 func SetCORSConfig(cfg config.CORSConfig) {
+	// 注意：显式配置危险组合时不会panic，但生产环境应避免使用
 	corsConfig = cfg
 }