feat(monitor): admin channel monitor MVP with SSRF protection and batch aggregation

新增 admin「渠道监控」模块（参考 BingZi-233/check-cx），独立于现有 Channel 体系。
admin 配置 + 后台定时调用上游 LLM chat completions 健康检查 + 所有登录用户只读可见。

后端：
- ent: channel_monitor + channel_monitor_history（AES-256-GCM 加密 api_key）
- service 按职责拆分：service/aggregator/validate/checker/runner/ssrf
- provider strategy map 替代 switch（openai/anthropic/gemini）
- repository batch 聚合（ListLatestForMonitorIDs + ComputeAvailabilityForMonitors）消除 N+1
- runner: ticker(5s) + pond worker pool(5) + inFlight 防并发 + TrySubmit 防雪崩
  + 凌晨 3 点 cron 清理 30 天历史
- SSRF 防护：强制 https + 私网/loopback/云元数据 IP 拒绝（127/8、10/8、172.16/12、
  192.168/16、169.254/16、100.64/10、::1、fc00::/7、fe80::/10）+ DialContext
  在 socket 层防 DNS rebinding
- API key sanitize：擦除 url.Error 与上游响应 body 中的 sk-/sk-ant-/AIza/JWT 模式
- APIKeyDecryptFailed 标志位 + 单 monitor 路径检测，避免空 key 调用上游

handler:
- admin: CRUD + 手动触发 + 历史接口（api_key 脱敏）
- user: 只读列表 + 状态详情（去除 api_key/endpoint）
- ParseChannelMonitorID 共用 + dto.ChannelMonitorExtraModelStatus 共用

前端：
- 路由 /admin/channels/{pricing,monitor} + /monitor（用户只读）
- AppSidebar 父项 expandOnly 支持
- ChannelMonitorView 拆为 8 个子组件 + ChannelStatusView 拆出 detail dialog
- composables/useChannelMonitorFormat + constants/channelMonitor 共享
- i18n monitorCommon namespace 消除 admin/user 两 view 重复

合规：所有文件符合 CLAUDE.md（Go ≤ 500 行 / Vue ≤ 300 行 / 函数 ≤ 30 行）
CI: go build / gofmt / golangci-lint(0 issues) / make test-unit / pnpm build 全绿

frontend/src/api/admin/channelMonitor.ts

@@ -0,0 +1,190 @@
+/**
+ * Admin Channel Monitor API endpoints
+ * Handles channel monitor (uptime/health) management for administrators
+ */
+
+import { apiClient } from '../client'
+
+export type Provider = 'openai' | 'anthropic' | 'gemini'
+export type MonitorStatus = 'operational' | 'degraded' | 'failed' | 'error'
+
+export interface ChannelMonitor {
+  id: number
+  name: string
+  provider: Provider
+  endpoint: string
+  api_key_masked: string
+  /**
+   * True when the stored encrypted API key cannot be decrypted (e.g. the
+   * encryption key has changed). Admin must re-edit the monitor to provide
+   * a fresh key. Backend skips checks for these monitors.
+   */
+  api_key_decrypt_failed?: boolean
+  primary_model: string
+  extra_models: string[]
+  group_name: string
+  enabled: boolean
+  interval_seconds: number
+  last_checked_at: string | null
+  created_by: number
+  created_at: string
+  updated_at: string
+  /** Latest status of the primary model (empty when no history yet) */
+  primary_status: MonitorStatus | ''
+  /** Latest latency of the primary model in ms (null when no history yet) */
+  primary_latency_ms: number | null
+  /** Primary model 7-day availability percentage (0-100) */
+  availability_7d: number
+  /** Latest status per extra model (used for hover tooltip) */
+  extra_models_status: ExtraModelStatus[]
+}
+
+export interface ExtraModelStatus {
+  model: string
+  status: MonitorStatus | ''
+  latency_ms: number | null
+}
+
+export interface ListParams {
+  page?: number
+  page_size?: number
+  provider?: Provider
+  enabled?: boolean
+  search?: string
+}
+
+export interface ListResponse {
+  items: ChannelMonitor[]
+  total: number
+  page: number
+  page_size: number
+  pages: number
+}
+
+export interface CreateParams {
+  name: string
+  provider: Provider
+  endpoint: string
+  api_key: string
+  primary_model: string
+  extra_models?: string[]
+  group_name?: string
+  enabled?: boolean
+  interval_seconds: number
+}
+
+// Update request: api_key empty string means "do not modify"
+export type UpdateParams = Partial<CreateParams>
+
+export interface CheckResult {
+  model: string
+  status: MonitorStatus
+  latency_ms: number | null
+  ping_latency_ms: number | null
+  message: string
+  checked_at: string
+}
+
+export interface RunNowResponse {
+  results: CheckResult[]
+}
+
+export interface HistoryItem {
+  id: number
+  model: string
+  status: MonitorStatus
+  latency_ms: number | null
+  ping_latency_ms: number | null
+  message: string
+  checked_at: string
+}
+
+export interface HistoryParams {
+  model?: string
+  limit?: number
+}
+
+export interface HistoryResponse {
+  items: HistoryItem[]
+}
+
+/**
+ * List channel monitors with pagination and filters
+ */
+export async function list(
+  params: ListParams = {},
+  options?: { signal?: AbortSignal }
+): Promise<ListResponse> {
+  const { data } = await apiClient.get<ListResponse>('/admin/channel-monitors', {
+    params,
+    signal: options?.signal,
+  })
+  return data
+}
+
+/**
+ * Get a channel monitor by ID
+ */
+export async function get(id: number): Promise<ChannelMonitor> {
+  const { data } = await apiClient.get<ChannelMonitor>(`/admin/channel-monitors/${id}`)
+  return data
+}
+
+/**
+ * Create a new channel monitor
+ */
+export async function create(params: CreateParams): Promise<ChannelMonitor> {
+  const { data } = await apiClient.post<ChannelMonitor>('/admin/channel-monitors', params)
+  return data
+}
+
+/**
+ * Update an existing channel monitor.
+ * api_key field: empty string means "do not modify".
+ */
+export async function update(id: number, params: UpdateParams): Promise<ChannelMonitor> {
+  const { data } = await apiClient.put<ChannelMonitor>(`/admin/channel-monitors/${id}`, params)
+  return data
+}
+
+/**
+ * Delete a channel monitor
+ */
+export async function del(id: number): Promise<void> {
+  await apiClient.delete(`/admin/channel-monitors/${id}`)
+}
+
+/**
+ * Trigger an immediate manual check for a channel monitor.
+ * Returns the latest check results for primary + extra models.
+ */
+export async function runNow(id: number): Promise<RunNowResponse> {
+  const { data } = await apiClient.post<RunNowResponse>(`/admin/channel-monitors/${id}/run`)
+  return data
+}
+
+/**
+ * List historical check results for a monitor.
+ */
+export async function listHistory(
+  id: number,
+  params: HistoryParams = {}
+): Promise<HistoryResponse> {
+  const { data } = await apiClient.get<HistoryResponse>(
+    `/admin/channel-monitors/${id}/history`,
+    { params }
+  )
+  return data
+}
+
+export const channelMonitorAPI = {
+  list,
+  get,
+  create,
+  update,
+  del,
+  runNow,
+  listHistory,
+}
+
+export default channelMonitorAPI

frontend/src/api/admin/index.ts

@@ -26,6 +26,7 @@ import scheduledTestsAPI from './scheduledTests'
 import backupAPI from './backup'
 import tlsFingerprintProfileAPI from './tlsFingerprintProfile'
 import channelsAPI from './channels'
+import channelMonitorAPI from './channelMonitor'
 import adminPaymentAPI from './payment'
 
 /**
@@ -55,6 +56,7 @@ export const adminAPI = {
   backup: backupAPI,
   tlsFingerprintProfiles: tlsFingerprintProfileAPI,
   channels: channelsAPI,
+  channelMonitor: channelMonitorAPI,
   payment: adminPaymentAPI
 }
 
@@ -82,6 +84,7 @@ export {
   backupAPI,
   tlsFingerprintProfileAPI,
   channelsAPI,
+  channelMonitorAPI,
   adminPaymentAPI
 }
 

frontend/src/api/channelMonitor.ts

@@ -0,0 +1,74 @@
+/**
+ * User-facing Channel Monitor API endpoints
+ * Read-only views for end users to inspect channel availability/status.
+ */
+
+import { apiClient } from './client'
+import type { Provider, MonitorStatus } from './admin/channelMonitor'
+
+export type { Provider, MonitorStatus } from './admin/channelMonitor'
+
+export interface UserMonitorExtraModel {
+  model: string
+  status: MonitorStatus
+  latency_ms: number | null
+}
+
+export interface UserMonitorView {
+  id: number
+  name: string
+  provider: Provider
+  group_name: string
+  primary_model: string
+  primary_status: MonitorStatus
+  primary_latency_ms: number | null
+  availability_7d: number
+  extra_models: UserMonitorExtraModel[]
+}
+
+export interface UserMonitorListResponse {
+  items: UserMonitorView[]
+}
+
+export interface UserMonitorModelDetail {
+  model: string
+  latest_status: MonitorStatus
+  latest_latency_ms: number | null
+  availability_7d: number
+  availability_15d: number
+  availability_30d: number
+  avg_latency_7d_ms: number | null
+}
+
+export interface UserMonitorDetail {
+  id: number
+  name: string
+  provider: Provider
+  group_name: string
+  models: UserMonitorModelDetail[]
+}
+
+/**
+ * List all monitor views available to the current user.
+ */
+export async function list(options?: { signal?: AbortSignal }): Promise<UserMonitorListResponse> {
+  const { data } = await apiClient.get<UserMonitorListResponse>('/channel-monitors', {
+    signal: options?.signal,
+  })
+  return data
+}
+
+/**
+ * Get detailed status (multi-window availability + latency) for a single monitor.
+ */
+export async function status(id: number): Promise<UserMonitorDetail> {
+  const { data } = await apiClient.get<UserMonitorDetail>(`/channel-monitors/${id}/status`)
+  return data
+}
+
+export const channelMonitorUserAPI = {
+  list,
+  status,
+}
+
+export default channelMonitorUserAPI

frontend/src/api/index.ts

@@ -18,6 +18,7 @@ export { paymentAPI } from './payment'
 export { userGroupsAPI } from './groups'
 export { totpAPI } from './totp'
 export { default as announcementsAPI } from './announcements'
+export { channelMonitorUserAPI } from './channelMonitor'
 
 // Admin APIs
 export { adminAPI } from './admin'