feat(security): 增加登录频率限制和TOTP二次验证访问控制

- 配置文件中更新数据库密码
- 前端视图中改进TOTP模态框，增加二次验证步骤和状态切换
- 新增前端TOTP验证逻辑，通过Ajax与后端交互验证权限与操作
- 登录控制器中添加每分钟6次的IP登录频率限制，防止暴力尝试
- 修正登录逻辑，阻止频率超限请求，返回友好提示
- 增加TOTP访问权限接口，验证用户访问TOTP信息时需先通过二次验证
- 实现临时10分钟内有效的TOTP访问权限Session管理
- 路由中新增TOTP访问验证路由，支持前端二次验证流程
- 并发安全处理登录频率限制数据，防止竞态条件
- 前端按钮显示与隐藏按验证状态动态变化，提升用户体验

CLAUDE.md

@@ -0,0 +1,140 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a Go-based web application called `jhboss` (Kami Boss) - a merchant management and payment gateway system built with the Beego framework. The application handles various aspects of payment processing, merchant management, agent operations, and financial transactions.
+
+## Development Commands
+
+### Building and Running
+```bash
+# Run the application (development mode)
+go run main.go
+
+# Build the application
+go build -o boss main.go
+
+# Install dependencies
+go mod tidy
+
+# Download dependencies
+go mod download
+```
+
+### Testing
+```bash
+# Run all tests
+go test ./...
+
+# Run tests in specific package
+go test ./internal/utils/mfa/
+
+# Run tests with verbose output
+go test -v ./...
+```
+
+### Development Tools
+```bash
+# Format code
+go fmt ./...
+
+# Run linter (if golangci-lint is installed)
+golangci-lint run
+
+# Vet code for potential issues
+go vet ./...
+```
+
+## Architecture
+
+### Framework and Structure
+- **Framework**: Beego v2.3.8 (Go web framework)
+- **Database**: MySQL with ORM (Beego ORM)
+- **Cache/Sessions**: Redis (optional, configured in app.conf)
+- **Architecture Pattern**: MVC (Model-View-Controller)
+
+### Directory Structure
+```
+├── main.go                    # Application entry point
+├── internal/
+│   ├── config/               # Configuration management
+│   ├── controllers/          # HTTP request handlers
+│   ├── models/              # Database models and ORM setup
+│   ├── routers/             # Route definitions
+│   ├── service/             # Business logic layer
+│   ├── utils/               # Utility functions and helpers
+│   ├── common/              # Common constants and types
+│   └── datas/               # Data access layer
+├── conf/                    # Configuration files
+├── static/                  # Static assets (CSS, JS, images)
+├── views/                   # Template files
+└── logs/                    # Application logs
+```
+
+### Key Components
+
+#### Controllers (`internal/controllers/`)
+- **baseController**: Common base functionality for all controllers
+- **loginController**: Authentication and session management
+- **getController**: Data retrieval operations
+- **addController**: Data creation operations
+- **updateController**: Data modification operations
+- **deleteController**: Data deletion operations
+- **camelController**: Camel payment platform integration
+- **pageController**: Page rendering and navigation
+
+#### Models (`internal/models/`)
+Organized by domain:
+- **accounts/**: Account management and history
+- **agent/**: Agent information and profit tracking
+- **merchant/**: Merchant deployment and load information
+- **order/**: Order processing, profit, and settlement
+- **payfor/**: Payment processing
+- **road/**: Payment channel management
+- **system/**: System configuration (users, roles, menus, permissions)
+- **notify/**: Notification handling
+- **user/**: User management
+
+#### Services (`internal/service/`)
+- **queryService**: Data query operations
+- **updateService**: Data update operations
+- **addService**: Data creation operations
+- **deleteService**: Data deletion operations
+- **sendNotifyMerchantService**: Merchant notification services
+- **token.go**: Token management
+- **summary.go**: Data aggregation and reporting
+
+### Configuration
+- **Main Config**: `conf/app.conf` - Contains database, Redis, gateway, and application settings
+- **Environment Variables**: Uses `gatewayAddr` and `portalAddr` environment variables
+- **Dynamic Config**: AES encryption parameters fetched from `kami_backend:12401`
+
+### Database Setup
+The application uses MySQL with the following connection details configured in `conf/app.conf`:
+- Host: 127.0.0.1:3306
+- Database: kami
+- The ORM models are auto-registered in `internal/models/init.go`
+
+### External Integrations
+- **Gateway Service**: `kami_gateway:12309` - Payment gateway integration
+- **Portal Service**: `127.0.0.1:12400` - User portal integration
+- **Backend Service**: `kami_backend:12401` - Backend API for configuration
+
+## Key Features
+- Merchant management and deployment
+- Payment channel (road) management
+- Order processing and profit tracking
+- Agent management and commission tracking
+- User authentication with MFA (TOTP)
+- Role-based access control
+- Financial reporting and data export
+- Real-time notifications
+
+## Development Notes
+- Application runs on port 12306 by default
+- Logs are written to `./logs/app.log` with daily rotation
+- Session timeout is set to 24 hours
+- Debug mode is enabled in development
+- The codebase includes Chinese comments and variable names