fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

crates/zclaw-saas/src/state.rs

@@ -8,6 +8,7 @@ use tokio::sync::RwLock;
 use tokio_util::sync::CancellationToken;
 use crate::config::SaaSConfig;
 use crate::workers::WorkerDispatcher;
+use crate::cache::AppCache;
 
 /// 全局应用状态，通过 Axum State 共享
 #[derive(Clone)]
@@ -30,6 +31,8 @@ pub struct AppState {
     pub worker_dispatcher: WorkerDispatcher,
     /// 优雅停机令牌 — 触发后所有 SSE 流和长连接应立即终止
     pub shutdown_token: CancellationToken,
+    /// 应用缓存: Model/Provider/队列计数器
+    pub cache: AppCache,
 }
 
 impl AppState {
@@ -46,6 +49,7 @@ impl AppState {
             rate_limit_rpm: Arc::new(AtomicU32::new(rpm)),
             worker_dispatcher,
             shutdown_token,
+            cache: AppCache::new(),
         })
     }