fix: replace hardcoded JWT and AES encryption keys with env placeholders

[saaa99999999]

1. 硬编码 JWT 签名密钥 (CWE-798)

仓库中提交了3个 .env 文件，其中 JWT 签名密钥都是同一个可预测的值。

server/.env / server/.env.development / server/.env.production:

修复前：

XIAOJU_SURVEY_JWT_SECRET=xiaojuSurveyJwtSecret

修复后：

XIAOJU_SURVEY_JWT_SECRET=change-me-in-production

这个密钥在 auth.service.ts 中同时用于签名和验证 JWT token：

• server/src/modules/auth/services/auth.service.ts:16: sign({ _id, username }, secret, signOptions) 用它对 token 签名
• server/src/modules/auth/services/auth.service.ts:27: verify(token, secret) 用它验证 token

拿到仓库代码的人可以直接使用 xiaojuSurveyJwtSecret 伪造任意用户的 token，绕过 authentication guard。

import jwt
token = jwt.encode({'username': 'admin', '_id': 'anything'}, 'xiaojuSurveyJwtSecret', algorithm='HS256')
# 这个 token 能通过所有需要认证的 API

2. 硬编码 AES 加密密钥 (CWE-798)

同样在 3 个 .env 文件中，AES 加密密钥也是硬编码的。

server/.env / server/.env.development / server/.env.production:

修复前：

XIAOJU_SURVEY_RESPONSE_AES_ENCRYPT_SECRET_KEY=dataAesEncryptSecretKey

修复后：

XIAOJU_SURVEY_RESPONSE_AES_ENCRYPT_SECRET_KEY=change-me-in-production

密钥用途：

• server/src/app.module.ts:onModuleInit(): 传入 ResponseSecurityPlugin，作为存储在内存中的 secretKey
• server/src/securityPlugin/responseSecurityPlugin/index.ts:encryptResponseData() / decryptResponseData(): 对问卷回答中的敏感数据（手机号/身份证/地址/邮箱/性别）加密和解密
• server/src/securityPlugin/responseSecurityPlugin/utils.ts:encryptData() / decryptData(): 使用 CryptoJS.AES 加解密

拿到这个密钥的攻击者可以解密所有问卷回答数据，包含用户手机号、身份证号、地址等 PII。

3. 错误日志泄露 JWT 密钥 (CWE-532)

server/src/modules/auth/controllers/auth.controller.ts:138-143:

修复前：

throw new Error(
    'generateToken erro:' +
      error.message +
      this.configService.get<string>('XIAOJU_SURVEY_JWT_SECRET') +
      this.configService.get<string>('XIAOJU_SURVEY_JWT_EXPIRES_IN'),
);

修复后：

throw new Error(
    'generateToken erro:' + error.message,
);

登录失败时的错误消息会把 JWT 密钥和过期时间拼接进去，泄露在日志或响应中。

---

共计修复 3 个问题，涉及 4 个文件。

[skique]

@saaa99999999 hello，请阅读贡献指南，用develop分支作为pr的基准分支

[codecov]

Codecov Report

❌ Patch coverage is 65.03906% with 537 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (develop@9afd1d1). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
.../modules/channel/controllers/channel.controller.ts	0.00%	88 Missing and 2 partials ⚠️
...rc/modules/survey/controllers/survey.controller.ts	30.55%	68 Missing and 7 partials ⚠️
...er/src/modules/channel/services/channel.service.ts	0.00%	44 Missing and 2 partials ⚠️
.../src/modules/survey/services/surveyMeta.service.ts	54.54%	38 Missing and 2 partials ⚠️
...dules/survey/controllers/ai-generate.controller.ts	0.00%	27 Missing and 1 partial ⚠️
...odules/appManager/__tests__/appManager.e2e-spec.ts	0.00%	26 Missing ⚠️
...ules/workspace/controllers/workspace.controller.ts	44.18%	23 Missing and 1 partial ⚠️
...odules/survey/controllers/recycleBin.controller.ts	0.00%	19 Missing ⚠️
server/src/modules/survey/utils/index.ts	34.48%	19 Missing ⚠️
...dules/survey/controllers/surveyGroup.controller.ts	77.63%	17 Missing ⚠️
... and 30 more

Additional details and impacted files

@@            Coverage Diff             @@
##             develop     #543   +/-   ##
==========================================
  Coverage           ?   79.81%           
==========================================
  Files              ?      145           
  Lines              ?     3765           
  Branches           ?      489           
==========================================
  Hits               ?     3005           
  Misses             ?      732           
  Partials           ?       28           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[skique]

@saaa99999999 你好，切到develop后有冲突哦，麻烦解决一下冲突再合入吧