refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)

配置 SSOT（TOML + .env）
统一错误契约
Auth 与事务边界
Redis / Celery 可靠性:业务 Redis（DB/0）与 Celery broker/backend（DB/1）显式拆分；连接池、sync client
可观测性（OpenTelemetry + LGTM）

api/docker-compose.yml

@@ -25,18 +25,26 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  # Redis 服务（用于会话存储和 Celery 消息队列）
+  # Redis 服务（业务 key DB/0；Celery broker/backend 由应用自动使用 DB/1）
   redis:
     image: m.daocloud.io/docker.io/library/redis:7-alpine
     container_name: life-echo-redis
     # ports:
     #   - "6379:6379"  # 不暴露到宿主机，仅在 Docker 网络内部访问
+    environment:
+      REDIS_PASSWORD: ${REDIS_PASSWORD:-}
     volumes:
       - redis_data:/data
-    command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
+    command: >
+      sh -c 'exec redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
+      $${REDIS_PASSWORD:+--requirepass "$$REDIS_PASSWORD"}'
     restart: always
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test:
+        [
+          "CMD-SHELL",
+          'if [ -n "$$REDIS_PASSWORD" ]; then redis-cli -a "$$REDIS_PASSWORD" ping | grep -q PONG; else redis-cli ping | grep -q PONG; fi',
+        ]
       interval: 10s
       timeout: 5s
       retries: 5
@@ -64,8 +72,10 @@ services:
       - .env
     environment:
       - ASR_MODEL_CACHE_DIR=/app/models/whisper
-      - ALEMBIC_STARTUP_FAIL_FAST=true
       - APP_ENV=${APP_ENV:-production}
+      - REDIS_URL=redis://redis:6379/0
+      - CELERY_REDIS_URL=redis://redis:6379/1
+      - REDIS_PASSWORD=${REDIS_PASSWORD:-}
     volumes:
       - /root/apiclient_key.pem:/app/certs/apiclient_key.pem:ro
     restart: always
@@ -100,6 +110,9 @@ services:
       - .env
     environment:
       - APP_ENV=${APP_ENV:-production}
+      - REDIS_URL=redis://redis:6379/0
+      - CELERY_REDIS_URL=redis://redis:6379/1
+      - REDIS_PASSWORD=${REDIS_PASSWORD:-}
     restart: always
     depends_on:
       postgres:
@@ -133,6 +146,9 @@ services:
       - .env
     environment:
       - APP_ENV=${APP_ENV:-production}
+      - REDIS_URL=redis://redis:6379/0
+      - CELERY_REDIS_URL=redis://redis:6379/1
+      - REDIS_PASSWORD=${REDIS_PASSWORD:-}
     restart: always
     depends_on:
       postgres:
@@ -149,26 +165,39 @@ services:
         max-size: "10m"
         max-file: "3"
 
-  # Flower（Celery 监控面板，可选）
-  # flower:
-  #   build:
-  #     context: .
-  #     dockerfile: Dockerfile
-  #   image: life-echo-api:latest
-  #   container_name: life-echo-flower
-  #   command: celery -A app.tasks.celery_app flower --port=5555
-  #   ports:
-  #     - "5555:5555"
-  #   env_file:
-  #     - .env
-  #   environment:
-  #     - REDIS_URL=redis://redis:6379/0
-  #   restart: always
-  #   depends_on:
-  #     redis:
-  #       condition: service_healthy
-  #   networks:
-  #     - life-echo-network
+  flower:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: life-echo-api:latest
+    container_name: life-echo-flower
+    command: >
+      sh -c 'uv run celery -A app.tasks.celery_app flower --port=5555
+      --basic_auth=$${FLOWER_USER:-admin}:$${FLOWER_PASSWORD:-changeme}'
+    ports:
+      - "127.0.0.1:${FLOWER_HOST_PORT:-5555}:5555"
+    env_file:
+      - .env
+    environment:
+      - APP_ENV=${APP_ENV:-production}
+      - REDIS_URL=redis://redis:6379/0
+      - CELERY_REDIS_URL=redis://redis:6379/1
+      - REDIS_PASSWORD=${REDIS_PASSWORD:-}
+      - FLOWER_USER=${FLOWER_USER:-admin}
+      - FLOWER_PASSWORD=${FLOWER_PASSWORD:-changeme}
+    restart: always
+    depends_on:
+      redis:
+        condition: service_healthy
+      celery-worker:
+        condition: service_started
+    networks:
+      - life-echo-network
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
 
 networks:
   life-echo-network: