fix(audit): Batch 4-6 中间件注释 + 依赖迁移 + 安全加固

Batch 4:
- kernel/mod.rs: 添加中间件注册顺序≠执行顺序注释
- EvolutionMiddleware 注册处标注 priority=78

Batch 5:
- desktop/src-tauri/Cargo.toml: serde_yaml 0.9 (deprecated) → serde_yaml_bw 2.x

Batch 6:
- saas/main.rs: CORS 开发模式改为显式 localhost origins (修复 Any+credentials 违规)
- docker-compose.yml: 移除默认弱密码 your_secure_password，改为必填校验
- director.rs: 用户输入添加 <user_input>/<user_request> 边界标记防注入

全量测试通过: 719 passed, 0 failed

crates/zclaw-kernel/src/kernel/mod.rs

@@ -239,6 +239,9 @@ impl Kernel {
         }
 
         // Data masking middleware — mask sensitive entities before any other processing
+        // NOTE: Registration order does NOT determine execution order.
+        // The chain sorts by priority() ascending before execution.
+        // Execution order: Evolution(78) → ButlerRouter(80) → DataMasking(90) → ...
         {
             use std::sync::Arc;
             let masker = Arc::new(zclaw_runtime::middleware::data_masking::DataMasker::new());
@@ -252,7 +255,8 @@ impl Kernel {
             growth = growth.with_llm_driver(driver.clone());
         }
 
-        // Evolution middleware — shared with MemoryMiddleware for pushing evolution candidates
+        // Evolution middleware — pushes evolution candidate skills into system prompt
+        // priority=78, executed first by chain (before ButlerRouter@80)
         let evolution_mw = std::sync::Arc::new(
             zclaw_runtime::middleware::evolution::EvolutionMiddleware::new()
         );