feat(security): SecurityConfig 路径规则适配 admin/member 前缀

- /api/auth/** 拆分为 /api/admin/auth/** 和 /api/member/auth/**
- 移除 /** 全放行规则，收紧安全策略
- 诊断路径更新为 /api/admin/diagnostic/**

gym-manage-api/manage-sys/src/main/java/cn/novalon/gym/manage/sys/config/SecurityConfig.java

@@ -47,10 +47,10 @@ public class SecurityConfig {
                 .addFilterBefore(jwtAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
                 .addFilterAfter(operationLogWebFilter, SecurityWebFiltersOrder.AUTHORIZATION)
                 .authorizeExchange(spec -> {
-                    spec.pathMatchers("/api/auth/**").permitAll()
+                    spec.pathMatchers("/api/admin/auth/**").permitAll()
+                            .pathMatchers("/api/member/auth/**").permitAll()
                             .pathMatchers("/api/public/**").permitAll()
                             .pathMatchers("/ws/**").permitAll()
-                            .pathMatchers("/**").permitAll()
                             .pathMatchers("/actuator/**").permitAll();
 
                     if (isDevOrTest) {
@@ -60,7 +60,7 @@ public class SecurityConfig {
                                 .pathMatchers("/v3/api-docs/**").permitAll()
                                 .pathMatchers("/swagger-resources/**").permitAll()
                                 .pathMatchers("/webjars/**").permitAll()
-                                .pathMatchers("/api/diagnostic/**").permitAll();
+                                .pathMatchers("/api/admin/diagnostic/**").permitAll();
                         logger.info("SecurityConfig: Swagger路径和诊断端点已放行");
                     }