fix(saas): P2 code quality fixes + config PATCH/PUT alignment

P2 code quality (SEC2-P2-01~10):
- P2-04: Replace vague TODO with detailed Phase 2 design note in generate_embedding.rs
- P2-05: Add NOTE(fire-and-forget) annotations to 4 long-running tokio::spawn in main.rs
- P2-07: Add DESIGN NOTE to scheduler explaining sequential execution rationale
- P2-08: Add compile-time table name whitelist + runtime char validation in db.rs
- P2-02: Verified N/A (only zclaw-pipeline uses serde_yaml_bw, no inconsistency)
- P2-06: Verified N/A (bind loop correctly matches 6-column placeholders)
- P2-03: Remains OPEN (requires upstream sqlx release)

Config HTTP method alignment (B3-4):
- Fix admin-v2 config.ts: request.patch -> request.put to match backend .put() route
- Fix backend handler doc comment: PATCH -> PUT
- Add @reserved annotations to 6 config handlers without frontend callers

crates/zclaw-saas/src/db.rs

@@ -868,7 +868,16 @@ async fn fix_seed_data(pool: &PgPool) -> SaasResult<()> {
     //    更新为每个 super_admin 都能看到（复制或统一）
     //    策略：统一为第一个 super_admin，然后为其余 admin 也复制关键数据
     let primary_admin = &admin_ids[0];
-    for table in &["relay_tasks", "usage_records", "operation_logs", "telemetry_reports"] {
+    // SAFETY: These table names are compile-time constants used in seed data fix only.
+    // The `validate_table_name` check provides defense-in-depth against future modifications.
+    const SEED_FIX_TABLES: &[&str] = &["relay_tasks", "usage_records", "operation_logs", "telemetry_reports"];
+    for table in SEED_FIX_TABLES {
+        // Defensive validation: ensure table name contains only alphanumeric + underscore
+        if !table.chars().all(|c| c.is_ascii_alphanumeric() || c == '_') {
+            tracing::error!("Invalid table name '{}' in SEED_FIX_TABLES, skipping", table);
+            continue;
+        }
+
         // 统计该表有多少不同的 account_id
         let distinct_count: (i64,) = sqlx::query_as(
             &format!("SELECT COUNT(DISTINCT account_id) FROM {}", table)