feat: Phase 1 - 安全中间件 + 运维工具箱

新增 oss/core/security/ 模块（852行）：
- jwt_auth.py: JWT签发/验证（HMAC-SHA256，零外部依赖）
- csrf.py: CSRF Token生成与校验
- input_validator.py: JSON Schema校验+类型强制
- tls.py: 自签名证书生成+SSL上下文

新增 oss/core/ops/ 模块：
- health.py: 增强版/health端点（CPU/内存/磁盘/运行时间）
- metrics.py: Prometheus兼容/metrics端点

对接改造：
- engine.py: 导出新模块
- manager.py: 注册/api/login /health /metrics路由
- middleware.py: CSRF+InputValidation中间件
- config.py: JWT_SECRET/CSRF_SECRET等配置项
- security.py→security/__init__.py: 合并插件沙箱与HTTP安全

oss/core/engine.py

@@ -10,6 +10,8 @@ from oss.core.pl_injector import PLValidationError, PLInjector
 from oss.core.watcher import HotReloadError, FileWatcher
 from oss.core.signature import SignatureError, SignatureVerifier, PluginSigner
 from oss.core.manager import PluginManager, CapabilityRegistry, PluginInfo
+from oss.core.security import JWTAuth, CSRFProtection, InputValidator, TLSManager
+from oss.core.ops import HealthChecker, MetricsCollector
 from oss.plugin.types import register_plugin_type
 
 register_plugin_type("PluginManager", PluginManager)