fix: resolve Dockerfile build failure, build.sh logic bugs, and logge…

…r data race

- Dockerfile: fix Go version 1.25→1.24, pin alpine:3.21, remove unused gcc/musl-dev, add non-root USER
- build.sh: fix 4 bash &&/|| operator precedence bugs in platform matching
- logger: fix data race by holding lock during writes, cache log.Logger instances
- Add v1.7.2 release notes and changelog entry

Release v1.7.1

v1.7.0: player resume redesign, warning logging, settings UI hierarchy

release: v1.6.3

- 继续观看：/api/progress/recent + 前端续播卡片
- 文件夹层级浏览：RelPath + flat/folder 双模式
- 收藏标记：favorites 表 + /api/favorites + 聚合 Tab
- 视频缩略图：ffmpeg 截图 + thumbs/ 缓存 + 懒加载
- 转码进度反馈：播放器状态条提示
- 归档进化分析文档到 docs/archive/
- 修正 thumbnail 目录权限与 gosec 标注

release: v1.6.2

- auth.go: sync.RWMutex -> sync.Mutex (no RLock usage)
- main.go: skip no-op PIN migration on startup when no plaintext PIN
- main.go: unify log format Warning: (drop [WARN])
- server.go: flatten checkAndReloadConfig with precomputed needsSave
- server.go: saveConfigLocked auto-updates cfgModTime, eliminating caller-side os.Stat duplication and fixing UpdateConfig's missing ModTime sync
- Revert over-abstracted evictRandomEntry from common.go; restore inline eviction in auth.go and middleware.go
- Archive AI review verification docs

release: v1.6.1

Security & engineering fixes from A-class review items:

- PIN storage: migrate plaintext to bcrypt hash (PINHash field)
- RateLimiter: cap buckets at 10k with random eviction
- pinAttempts: cap at 1k with random eviction
- sqlite.go: extract guard/guardTx wrappers (DRY)
- DeleteByShareRootsNotIn: warn log on unconditional full-table delete
- Config hot-reload: auto-hash plaintext PIN after reload
- Archive review_by_kimi.md and review_by_deepwiki.md

Release v1.6.0

fix: v1.5.1 hotfix - media display, log format, rate limits, plyr nul…

…l crash

- Fix media not displaying after adding shares (DB scan order, empty shares,
  missing frontend polling, OnConflict path column)
- Fix duplicate timestamps in console logs
- Fix 429 on Local/LAN access; restrict rate limits to 4 admin endpoints only
- Fix TypeError when state.plyr is destroyed before ready callback fires

security: release v1.5.0

Comprehensive security audit fixes and release preparation:

Authentication:
- PIN brute-force protection (5 failures → 15min lockout)
- Remove weak default PIN (was "0000", now empty)
- Constant-time PIN comparison via crypto/subtle
- Auto-disable PIN when enabled but empty to prevent lockout

Access Control:
- Three-tier access level: Local / LAN / Remote
- Cloudflare Tunnel detection via CF headers
- Admin API lockdown for non-Local access
- Config field filtering by access level

Rate Limiting & DoS:
- Global token-bucket rate limiter (Local exempt)
- Per-endpoint limits: /api/pin 1/5s, refresh 1/30s, stream 2/s
- Refresh cooldown (30s) to prevent scan spam
- WriteTimeout: 60s

File Stream Security:
- TOCTOU defense: re-resolve symlinks after open
- Force Content-Disposition: attachment for non-media files

HTTP Security Headers:
- Content-Security-Policy with strict defaults
- HSTS for HTTPS requests
- Remove deprecated X-XSS-Protection
- Secure cookie flag when behind HTTPS proxy

Media ID Encryption:
- AES-GCM symmetric encryption for media IDs
- Auto-generated msp.key on first run
- Fallback to base64 if key unavailable

Other:
- Client log injection protection (level whitelist, 500char limit)
- CF-Connecting-IP used for IP allowlist/blocklist when behind Tunnel
- Remove GitHub link from web footer

Frontend:
- Access-level aware UI (settings button visibility, hints)
- Remote mode suppresses LAN IP display

Breaking Change:
- Old base64 media ID bookmarks will fail (return "bad id")

Sanitization:
- Remove internal docs containing personal info (archive/, SECURITY_AUDIT.md, TODAY_2026-05-16.md)
- Add AGENTS.md to tracked files
- Update CHANGELOG and release notes

v1.4.0: frontend style refactor, custom dropdown, parallel build