refactor: 系统优化配置从硬编码改为持久化

- SystemOptimizer 启动时从 system_settings.json 加载 rate_limits/cost_limits/security_settings
- 硬编码值仅作为 fallback（配置文件不存在或字段缺失时使用）
- security-settings/traffic-settings/cost-settings 三个 API 端点重写：
  - GET 从 system_settings.json 读取实际值（不再返回假数据）
  - POST 写入 system_settings.json（不再丢弃数据）
- 新增 _read_system_settings/_save_system_settings 工具函数

src/core/system_optimizer.py

@@ -30,31 +30,36 @@ class SystemOptimizer:
         self.request_counts = defaultdict(int)
         self.response_times = deque(maxlen=1000)
         
-        # 流量控制
-        self.rate_limits = {
-            "per_minute": 60,      # 每分钟最大请求数
-            "per_hour": 1000,      # 每小时最大请求数
-            "per_day": 10000       # 每天最大请求数
-        }
-        
-        # 成本控制
-        self.cost_limits = {
-            "daily": 100.0,        # 每日成本限制（元）
-            "hourly": 20.0,        # 每小时成本限制（元）
-            "per_request": 0.1     # 单次请求成本限制（元）
-        }
-        
-        # 安全设置
-        self.security_settings = {
-            "max_input_length": 10000,     # 最大输入长度
-            "max_output_length": 5000,     # 最大输出长度
-            "blocked_keywords": ["恶意", "攻击", "病毒"],  # 屏蔽关键词
-            "max_concurrent_users": 50     # 最大并发用户数（调整为更合理的值）
-        }
+        # 从系统设置加载配置，硬编码值仅作为 fallback
+        self._load_settings()
         
         # 延迟启动监控线程（避免启动时阻塞）
         threading.Timer(5.0, self._start_monitoring).start()
     
+    def _load_settings(self):
+        """从 system_settings.json 加载配置，未配置则使用默认值"""
+        import json, os
+        defaults_rate = {"per_minute": 60, "per_hour": 1000, "per_day": 10000}
+        defaults_cost = {"daily": 100.0, "hourly": 20.0, "per_request": 0.1}
+        defaults_security = {
+            "max_input_length": 10000, "max_output_length": 5000,
+            "blocked_keywords": [], "max_concurrent_users": 50
+        }
+        try:
+            settings_path = os.path.join('data', 'system_settings.json')
+            if os.path.exists(settings_path):
+                with open(settings_path, 'r', encoding='utf-8') as f:
+                    settings = json.load(f)
+                self.rate_limits = {**defaults_rate, **settings.get('rate_limits', {})}
+                self.cost_limits = {**defaults_cost, **settings.get('cost_limits', {})}
+                self.security_settings = {**defaults_security, **settings.get('security_settings', {})}
+                return
+        except Exception as e:
+            logger.warning(f"加载系统优化配置失败，使用默认值: {e}")
+        self.rate_limits = defaults_rate
+        self.cost_limits = defaults_cost
+        self.security_settings = defaults_security
+    
     def _init_redis(self):
         """初始化Redis连接（延迟连接）"""
         self.redis_client = None

src/web/blueprints/system.py

@@ -445,76 +445,83 @@ def optimize_all():
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 
+def _read_system_settings():
+    """读取 system_settings.json"""
+    settings_path = os.path.join('data', 'system_settings.json')
+    if os.path.exists(settings_path):
+        with open(settings_path, 'r', encoding='utf-8') as f:
+            return json.load(f)
+    return {}
+
+def _save_system_settings(settings):
+    """写入 system_settings.json"""
+    os.makedirs('data', exist_ok=True)
+    settings_path = os.path.join('data', 'system_settings.json')
+    with open(settings_path, 'w', encoding='utf-8') as f:
+        json.dump(settings, f, ensure_ascii=False, indent=2)
+
+
 @system_bp.route('/system-optimizer/security-settings', methods=['GET', 'POST'])
 def security_settings():
-    """安全设置"""
+    """安全设置（持久化到 system_settings.json）"""
     try:
+        settings = _read_system_settings()
         if request.method == 'GET':
-            # 获取安全设置
+            sec = settings.get('security_settings', {})
             return jsonify({
                 'success': True,
-                'input_validation': True,
-                'rate_limiting': True,
-                'sql_injection_protection': True,
-                'xss_protection': True
+                'max_input_length': sec.get('max_input_length', 10000),
+                'max_output_length': sec.get('max_output_length', 5000),
+                'blocked_keywords': sec.get('blocked_keywords', []),
+                'max_concurrent_users': sec.get('max_concurrent_users', 50)
             })
         else:
-            # 保存安全设置
             data = request.get_json()
-            # 这里应该保存到数据库或配置文件
-            
-            return jsonify({
-                'success': True,
-                'message': '安全设置已保存'
-            })
+            settings['security_settings'] = data
+            _save_system_settings(settings)
+            return jsonify({'success': True, 'message': '安全设置已保存'})
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 
 @system_bp.route('/system-optimizer/traffic-settings', methods=['GET', 'POST'])
 def traffic_settings():
-    """流量设置"""
+    """流量设置（持久化到 system_settings.json）"""
     try:
+        settings = _read_system_settings()
         if request.method == 'GET':
-            # 获取流量设置
+            rl = settings.get('rate_limits', {})
             return jsonify({
                 'success': True,
-                'request_limit': 100,
-                'concurrent_limit': 50,
-                'ip_whitelist': ['127.0.0.1', '192.168.1.1']
+                'per_minute': rl.get('per_minute', 60),
+                'per_hour': rl.get('per_hour', 1000),
+                'per_day': rl.get('per_day', 10000)
             })
         else:
-            # 保存流量设置
             data = request.get_json()
-            # 这里应该保存到数据库或配置文件
-            
-            return jsonify({
-                'success': True,
-                'message': '流量设置已保存'
-            })
+            settings['rate_limits'] = data
+            _save_system_settings(settings)
+            return jsonify({'success': True, 'message': '流量设置已保存'})
     except Exception as e:
         return jsonify({"error": str(e)}), 500
 
 @system_bp.route('/system-optimizer/cost-settings', methods=['GET', 'POST'])
 def cost_settings():
-    """成本设置"""
+    """成本设置（持久化到 system_settings.json）"""
     try:
+        settings = _read_system_settings()
         if request.method == 'GET':
-            # 获取成本设置
+            cl = settings.get('cost_limits', {})
             return jsonify({
                 'success': True,
-                'monthly_budget_limit': 1000,
-                'per_call_cost_limit': 0.1,
-                'auto_cost_control': True
+                'daily': cl.get('daily', 100.0),
+                'hourly': cl.get('hourly', 20.0),
+                'per_request': cl.get('per_request', 0.1)
             })
         else:
-            # 保存成本设置
             data = request.get_json()
-            # 这里应该保存到数据库或配置文件
-            
-            return jsonify({
-                'success': True,
-                'message': '成本设置已保存'
-            })
+            settings['cost_limits'] = data
+            _save_system_settings(settings)
+            return jsonify({'success': True, 'message': '成本设置已保存'})
     except Exception as e:
         return jsonify({"error": str(e)}), 500