fix: 按 review 意见重构数据库备份服务（安全性 + 架构 + 健壮性）

1. S3 凭证加密存储：使用 SecretEncryptor (AES-256-GCM) 加密 SecretAccessKey，
   防止备份文件中泄露 S3 凭证，兼容旧的未加密数据
2. 修复 saveRecord 竞态条件：添加 recordsMu 互斥锁保护 records 的 load/save
3. 恢复操作增加服务端验证：handler 层要求重新输入管理员密码，通过 bcrypt
   校验，前端弹出密码输入框
4. pg_dump/psql/S3 操作抽象为接口：定义 DBDumper 和 BackupObjectStore 接口，
   实现放入 repository 层，遵循项目依赖注入架构规范
5. 改为流式处理避免大数据库 OOM：备份时 pg_dump stdout -> gzip -> io.Pipe ->
   S3 upload；恢复时 S3 download -> gzip reader -> psql stdin，不再全量加载
6. loadRecords 区分"无数据"和"数据损坏"场景：JSON 解析失败返回明确错误
7. 添加 18 个核心逻辑单元测试：覆盖加密、并发、流式备份/恢复、错误处理等

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/cmd/server/wire_gen.go

@@ -145,8 +145,10 @@ func initializeApplication(buildInfo handler.BuildInfo) (*Application, error) {
 	adminAnnouncementHandler := admin.NewAnnouncementHandler(announcementService)
 	dataManagementService := service.NewDataManagementService()
 	dataManagementHandler := admin.NewDataManagementHandler(dataManagementService)
-	backupService := service.ProvideBackupService(settingRepository, configConfig)
-	backupHandler := admin.NewBackupHandler(backupService)
+	backupObjectStoreFactory := repository.NewS3BackupStoreFactory()
+	dbDumper := repository.NewPgDumper(configConfig)
+	backupService := service.ProvideBackupService(settingRepository, configConfig, secretEncryptor, backupObjectStoreFactory, dbDumper)
+	backupHandler := admin.NewBackupHandler(backupService, userService)
 	oAuthHandler := admin.NewOAuthHandler(oAuthService)
 	openAIOAuthHandler := admin.NewOpenAIOAuthHandler(openAIOAuthService, adminService)
 	geminiOAuthHandler := admin.NewGeminiOAuthHandler(geminiOAuthService)