feat: production hardening - CORS whitelist, strong password, tokenVersion revoke, VIP card hashing, admin secret

prisma/schema.prisma

@@ -24,6 +24,9 @@ model User {
   isVip         Boolean   @default(false) @map("is_vip")
   vipLevel      Int       @default(0) @map("vip_level")
   vipExpireAt   DateTime? @map("vip_expire_at")
+
+  // Token 吊销 (递增版本号使旧 token 失效)
+  tokenVersion  Int       @default(0) @map("token_version")
   
   // 统计
   schemesCount      Int   @default(0) @map("schemes_count")