fix: 修复19个Bug (P0-P3) — 持续性调试第7轮发现的问题

P0 (5): crypto/rand session ID, TTS fallback可达性, goroutine defer recover, adminAuth前缀修正
P1 (5): 普通用户密码验证, context传递, priority clamp, 超时重试, 自主思考速率限制
P2 (4): Briefing AI降级, 前端消息类型渲染, Docker Compose补全, PWA 192图标
P3 (5): goroutine错误处理, .gitignore完善, reminder created_at, voice Dockerfile, Go版本更新

backend/gateway/internal/router/router.go

@@ -1,8 +1,8 @@
 package router
 
 import (
+	"database/sql"
 	"net/http"
-	"strings"
 
 	"github.com/gin-gonic/gin"
 
@@ -15,12 +15,16 @@ import (
 )
 
 // Setup 注册所有路由
-func Setup(r *gin.Engine, hub *ws.Hub, cfg *config.Config, sessionStore *store.SessionStore, reminderStore *store.ReminderStore, briefingStore *store.BriefingStore, automationStore *store.AutomationStore, fileStore *store.FileStore, ruleEngine *engine.RuleEngine, knowledgeStore *store.KnowledgeStore, imageHandler *handler.ImageHandler) {
+func Setup(r *gin.Engine, hub *ws.Hub, cfg *config.Config, sessionStore *store.SessionStore, reminderStore *store.ReminderStore, briefingStore *store.BriefingStore, automationStore *store.AutomationStore, fileStore *store.FileStore, ruleEngine *engine.RuleEngine, knowledgeStore *store.KnowledgeStore, imageHandler *handler.ImageHandler, db interface{}) {
 	// 限流器
 	rateLimiter := middleware.NewRateLimiter(10, 20) // 每秒10个请求，突发20
 
 	// 初始化处理器
-	authHandler := handler.NewAuthHandler(cfg)
+	var authDB *sql.DB
+	if db != nil {
+		authDB = db.(*sql.DB)
+	}
+	authHandler := handler.NewAuthHandler(cfg, authDB)
 	sessionHandler := handler.NewSessionHandler(hub, sessionStore)
 	memoryHandler := handler.NewMemoryHandler(cfg.MemoryServiceURL)
 	chatHandler := handler.NewChatHandler(cfg, hub)
@@ -227,11 +231,11 @@ func Setup(r *gin.Engine, hub *ws.Hub, cfg *config.Config, sessionStore *store.S
 	}
 }
 
-// adminAuth 管理员权限中间件 (检查 userID 是否以 "admin_" 开头)
+// adminAuth 管理员权限中间件 (检查认证中间件设置的 is_admin 标记)
 func adminAuth() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userID := middleware.GetUserID(c)
-		if userID == "" || !strings.HasPrefix(userID, "admin_") {
+		isAdmin, _ := c.Get(middleware.IsAdminKey)
+		if isAdmin == nil || !isAdmin.(bool) {
 			c.JSON(http.StatusForbidden, gin.H{"error": "需要管理员权限"})
 			c.Abort()
 			return