fix: round 10 critical fixes - WebSocket race, rate limiting, XSS protection, Caddyfile, and input validation

backend/gateway/internal/handler/memory_handler.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"log"
 	"net/http"
@@ -144,11 +145,11 @@ func (h *MemoryHandler) Add(c *gin.Context) {
 		userID = req.UserID
 	}
 
-	// 转发到 Memory-Service
+	// 转发到 Memory-Service（对用户输入进行 HTML 转义防 XSS）
 	memReq := map[string]interface{}{
 		"user_id":  userID,
-		"content":  req.Content,
-		"category": req.Category,
+		"content":  html.EscapeString(req.Content),
+		"category": html.EscapeString(req.Category),
 		"priority": req.Priority,
 	}
 	reqBody, _ := json.Marshal(memReq)