security: 보안 강제 시스템 구축 + 하드코딩 비밀번호 제거

보안 감사 결과 CRITICAL 2건, HIGH 5건 발견 → 수정 완료 + 자동화 구축.

[보안 수정]
- issue-view.js: 하드코딩 비밀번호 → crypto.getRandomValues() 랜덤 생성
- pushSubscriptionController.js: ntfy 비밀번호 → process.env.NTFY_SUB_PASSWORD
- DEPLOY-GUIDE.md/PROGRESS.md/migration SQL: 평문 비밀번호 → placeholder
- docker-compose.yml/.env.example: NTFY_SUB_PASSWORD 환경변수 추가

[보안 강제 시스템 - 신규]
- scripts/security-scan.sh: 8개 규칙 (CRITICAL 2, HIGH 4, MEDIUM 2)
  3모드(staged/all/diff), severity, .securityignore, MEDIUM 임계값
- .githooks/pre-commit: 로컬 빠른 피드백
- .githooks/pre-receive-server.sh: Gitea 서버 최종 차단
  bypass 거버넌스([SECURITY-BYPASS: 사유] + 사용자 제한 + 로그)
- SECURITY-CHECKLIST.md: 10개 카테고리 자동/수동 구분
- docs/SECURITY-GUIDE.md: 운영자 가이드 (워크플로우, bypass, FAQ)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

DEPLOY-GUIDE.md

@@ -95,7 +95,7 @@ cat "/volume1/Technicalkorea Document/tkfb-package/.env" | grep MYSQL
 cat /volume1/docker/tkqc/tkqc-package/.env | grep POSTGRES
 
 # Cloudflare Tunnel 토큰
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker inspect tkfb_cloudflared | grep TUNNEL_TOKEN
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker inspect tkfb_cloudflared | grep TUNNEL_TOKEN
 ```
 
 ---
@@ -112,12 +112,12 @@ ssh hyungi@192.168.0.3
 mkdir -p /volume1/docker/backups/$(date +%Y%m%d)
 
 # MariaDB 백업
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker exec tkfb_db \
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker exec tkfb_db \
   mysqldump -u root -p<ROOT_PASSWORD> --all-databases > \
   /volume1/docker/backups/$(date +%Y%m%d)/mariadb-all.sql
 
 # PostgreSQL 백업
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker exec tkqc-db \
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker exec tkqc-db \
   pg_dumpall -U mproject > \
   /volume1/docker/backups/$(date +%Y%m%d)/postgres-all.sql
 
@@ -167,11 +167,11 @@ rm -rf ../tk-factory-services.bak
 # NAS SSH
 # TK-FB 중지
 cd "/volume1/Technicalkorea Document/tkfb-package"
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose down
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose down
 
 # TKQC 중지
 cd /volume1/docker/tkqc/tkqc-package
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose down
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose down
 ```
 
 ### Step 4: 통합 서비스 기동
@@ -180,10 +180,10 @@ echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose down
 cd /volume1/docker/tk-factory-services
 
 # Docker 이미지 빌드 + 서비스 기동
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose up --build -d
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose up --build -d
 
 # 로그 확인
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose logs -f --tail=50
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose logs -f --tail=50
 ```
 
 ### Step 5: DB 마이그레이션
@@ -196,7 +196,7 @@ echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose logs -f --ta
 # (system3-nonconformance/api/migrations/ → PostgreSQL init)
 
 # 헬스체크 확인
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose ps
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose ps
 ```
 
 ### Step 6: Cloudflare Tunnel 설정
@@ -291,15 +291,15 @@ git log --oneline -10
 ```bash
 # 통합 서비스 중지
 cd /volume1/docker_1/tk-factory-services
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose down
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose down
 
 # TK-FB 복원
 cd "/volume1/Technicalkorea Document/tkfb-package"
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose up -d
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose up -d
 
 # TKQC 복원
 cd /volume1/docker/tkqc/tkqc-package
-echo 'fukdon-riwbaq-fiQfy2' | sudo -S /usr/local/bin/docker compose up -d
+echo "${NAS_SUDO_PASSWORD}" | sudo -S /usr/local/bin/docker compose up -d
 ```
 
 ---