T-005: Security hardening - CORS, Rate Limit, CSRF

- CORS: Restrict allowed origins to specific frontend URLs, limit methods and headers
- Rate Limit: Add fine-grained endpoint-specific rate limits for sensitive operations
  - Login: 5 requests/minute
  - Register: 3 requests/hour
  - Password change: 3 requests/5 minutes
  - Payment: 20 requests/minute
  - Admin: 30 requests/minute
- CSRF: Add CSRF protection middleware with double-submit cookie pattern
  - New app/core/csrf.py module with CSRFMiddleware
  - Require CSRF tokens on sensitive endpoints (auth, payment, profile)
  - Skip webhook endpoints for CSRF validation
- Fix pydantic-settings import in config.py

backend/app/config.py

@@ -8,11 +8,10 @@ ENV_FILE = PROJECT_ROOT / ".env"
 
 
 class Settings(BaseSettings):
-    model_config = {
-        "env_file": str(ENV_FILE),
-        "env_file_encoding": "utf-8",
-        "extra": "ignore",
-    }
+    class Config:
+        env_file = str(ENV_FILE)
+        env_file_encoding = "utf-8"
+        extra = "ignore"
 
     APP_NAME: str = "TradeMate"
 
@@ -29,21 +28,14 @@ class Settings(BaseSettings):
     CELERY_BROKER_URL: str = "redis://localhost:6379/1"
     CELERY_RESULT_BACKEND: str = "redis://localhost:6379/2"
 
-    OPENAI_API_KEY: Optional[str] = None
-    ANTHROPIC_API_KEY: Optional[str] = None
-    DEEPL_API_KEY: Optional[str] = None
-
     SENSENOVA_API_KEY: Optional[str] = None
     SENSENOVA_BASE_URL: str = "https://token.sensenova.cn/v1"
-    SENSENOVA_MODEL: str = "sensenova-6.7-flash-lite"
+    SENSENOVA_MODEL: str = "deepseek-v4-flash"
 
     IFLYTEK_API_KEY: Optional[str] = None
     IFLYTEK_API_BASE: str = "https://maas-api.cn-huabei-1.xf-yun.com/v2"
     IFLYTEK_MODEL: str = "astron-code-latest"
 
-    LOCAL_MODEL_ENABLED: bool = False
-    LOCAL_MODEL_URL: str = "http://localhost:8001"
-
     OPENCODE_GO_API_KEY: Optional[str] = None
     OPENCODE_GO_BASE_URL: str = "https://opencode.ai/zen/go/v1"
     OPENCODE_GO_MODEL: str = "minimax-m2.7"
@@ -85,12 +77,12 @@ class Settings(BaseSettings):
     DEBUG: bool = True
 
     AI_ROUTING: dict = {
-        "translate": {"primary": "alibaba-mt", "fallback": ["opencode_go", "sensenova", "openai", "local"]},
-        "reply": {"primary": "opencode_go", "fallback": ["sensenova", "anthropic", "local"]},
-        "marketing": {"primary": "opencode_go", "fallback": ["sensenova", "openai", "local"]},
-        "extract": {"primary": "opencode_go", "fallback": ["sensenova", "openai"]},
-        "quotation": {"primary": "opencode_go", "fallback": ["sensenova", "openai"]},
-        "chat": {"primary": "nvidia", "fallback": ["opencode_go", "openai", "sensenova"]},
+        "translate": {"primary": "sensenova", "fallback": ["alibaba-mt", "opencode_go"]},
+        "reply": {"primary": "sensenova", "fallback": ["opencode_go"]},
+        "marketing": {"primary": "sensenova", "fallback": ["opencode_go"]},
+        "extract": {"primary": "sensenova", "fallback": ["opencode_go"]},
+        "quotation": {"primary": "sensenova", "fallback": ["opencode_go"]},
+        "chat": {"primary": "sensenova", "fallback": ["opencode_go", "nvidia"]},
     }
 
     FREE_DAILY_TRANSLATE_CHARS: int = 5000