feat: Go 重写后端，替换 Python FastAPI

用 Go (Gin + GORM + SQLite) 重写整个后端：
- 单二进制部署，不依赖 Python/pip/SDK
- net/http 原生客户端，无 Cloudflare TLS 指纹问题
- 多阶段 Dockerfile：Node 构建前端 + Go 构建后端 + Alpine 运行
- 内存占用从 ~95MB 降至 ~3MB
- 完整保留所有 API 路由、JWT 认证、API Key 权限、审计日志

main.go

@@ -0,0 +1,114 @@
+package main
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/gin-contrib/cors"
+	"github.com/gin-gonic/gin"
+
+	"airwallex-admin/config"
+	"airwallex-admin/handlers"
+	"airwallex-admin/middleware"
+	"airwallex-admin/models"
+)
+
+func main() {
+	config.Load()
+	models.InitDB()
+	models.InitializeDefaults(models.DB)
+
+	r := gin.Default()
+
+	r.Use(cors.New(cors.Config{
+		AllowAllOrigins:  true,
+		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
+		AllowHeaders:     []string{"Origin", "Content-Type", "Accept", "Authorization", "X-API-Key"},
+		ExposeHeaders:    []string{"Content-Length"},
+		AllowCredentials: false,
+	}))
+
+	// Health check
+	api := r.Group("/api")
+	api.GET("/health", func(c *gin.Context) {
+		c.JSON(200, gin.H{"status": "ok"})
+	})
+
+	// Auth routes (no auth required)
+	auth := api.Group("/auth")
+	auth.POST("/login", handlers.Login)
+
+	// Protected admin routes (JWT required)
+	protected := api.Group("")
+	protected.Use(middleware.JWTAuth())
+
+	protected.GET("/auth/me", handlers.GetMe)
+	protected.GET("/dashboard", handlers.GetDashboard)
+
+	// Cards
+	protected.GET("/cards", handlers.ListCards)
+	protected.POST("/cards", handlers.CreateCard)
+	protected.GET("/cards/:id", handlers.GetCard)
+	protected.GET("/cards/:id/details", handlers.GetCardDetails)
+	protected.PUT("/cards/:id", handlers.UpdateCard)
+
+	// Cardholders
+	protected.GET("/cardholders", handlers.ListCardholders)
+	protected.POST("/cardholders", handlers.CreateCardholder)
+
+	// Transactions
+	protected.GET("/transactions", handlers.ListTransactions)
+	protected.GET("/authorizations", handlers.ListAuthorizations)
+
+	// Settings
+	protected.GET("/settings", handlers.GetSettings)
+	protected.PUT("/settings", handlers.UpdateSettings)
+	protected.POST("/settings/test-connection", handlers.TestConnection)
+	protected.POST("/settings/test-proxy", handlers.TestProxy)
+
+	// Tokens
+	protected.GET("/tokens", handlers.ListTokens)
+	protected.POST("/tokens", handlers.CreateToken)
+	protected.DELETE("/tokens/:id", handlers.DeleteToken)
+
+	// Logs
+	protected.GET("/card-logs", handlers.ListCardLogs)
+	protected.GET("/audit-logs", handlers.ListAuditLogs)
+
+	// External API (API Key auth)
+	v1 := api.Group("/v1")
+	v1.Use(middleware.APIKeyAuth())
+
+	v1.POST("/cards/create", middleware.CheckPermission("create_cards"), handlers.ExternalCreateCard)
+	v1.GET("/cards", middleware.CheckPermission("read_cards"), handlers.ExternalListCards)
+	v1.GET("/cards/:id", middleware.CheckPermission("read_cards"), handlers.ExternalGetCard)
+	v1.POST("/cards/:id/freeze", middleware.CheckPermission("create_cards"), handlers.ExternalFreezeCard)
+	v1.GET("/transactions", middleware.CheckPermission("read_transactions"), handlers.ExternalListTransactions)
+	v1.GET("/balance", middleware.CheckPermission("read_balance"), handlers.ExternalGetBalance)
+
+	// Static files + SPA fallback
+	distPath := "frontend/dist"
+	if _, err := os.Stat(distPath); err == nil {
+		r.Static("/assets", filepath.Join(distPath, "assets"))
+		r.StaticFile("/favicon.ico", filepath.Join(distPath, "favicon.ico"))
+
+		r.NoRoute(func(c *gin.Context) {
+			if strings.HasPrefix(c.Request.URL.Path, "/api/") {
+				c.JSON(404, gin.H{"detail": "Not found"})
+				return
+			}
+			c.File(filepath.Join(distPath, "index.html"))
+		})
+	}
+
+	port := config.Cfg.Port
+	if port == "" {
+		port = "8000"
+	}
+	log.Printf("Starting server on :%s", port)
+	if err := r.Run(":" + port); err != nil {
+		log.Fatalf("Failed to start server: %v", err)
+	}
+}