fix: 보안·안정성·동시성 개선 3차

- 입력 검증 강화 (로그인/체인 핸들러 전체)
- boss raid 비관적 잠금으로 동시성 문제 해결
- SSAFY 사용자명 sanitize + 트랜잭션 처리
- constant-time API 키 비교, 보안 헤더, graceful shutdown
- 안전하지 않은 기본값 경고 추가

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pkg/config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"log"
 	"os"
 	"strconv"
 
@@ -75,6 +76,22 @@ func Load() {
 	}
 }
 
+// WarnInsecureDefaults logs warnings for security-sensitive settings left at defaults.
+func WarnInsecureDefaults() {
+	if C.JWTSecret == "secret" {
+		log.Println("WARNING: JWT_SECRET is using the default value — set a strong secret for production")
+	}
+	if C.RefreshSecret == "refresh-secret" {
+		log.Println("WARNING: REFRESH_SECRET is using the default value — set a strong secret for production")
+	}
+	if C.AdminPassword == "admin1234" {
+		log.Println("WARNING: ADMIN_PASSWORD is using the default value — change it for production")
+	}
+	if C.WalletEncryptionKey == "" {
+		log.Println("WARNING: WALLET_ENCRYPTION_KEY is empty — blockchain wallet features will fail")
+	}
+}
+
 func getEnv(key, fallback string) string {
 	if v := os.Getenv(key); v != "" {
 		return v