Merge feature/add_skin into master: resolve all conflicts

- GameGlobal.js: keep upstream SERVER_URL with /ws suffix
- en.js/zh.js: merge both settings.nickname and settings.profile keys
- SettingsScene.js: keep both nickname row and profile button
- server/index.js: merge express app + content security proxy with
  noServer WebSocket mode and path validation
- Add .gitignore for node_modules and .codebuddy

deploy/content-security/configmap.yaml

@@ -0,0 +1,25 @@
+# ============================================================
+# ConfigMap: content-security-config
+# Centralized configuration for content security service.
+# WX_APPID and WX_APPSECRET should be overridden via SealedSecret
+# or external secret management in production.
+# ============================================================
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: content-security-config
+  namespace: content-security
+  labels:
+    app: content-security-service
+data:
+  NODE_ENV: "production"
+  HOST: "0.0.0.0"
+  PORT: "3000"
+  # Default game_id for requests without explicit game_id
+  DEFAULT_GAME_ID: "tankwar"
+  # Audit log retention in days
+  AUDIT_LOG_RETENTION_DAYS: "180"
+  # Rate limit: max requests per minute to WeChat API
+  RATE_LIMIT_PER_MINUTE: "5000"
+  # API timeout in milliseconds
+  API_TIMEOUT_MS: "3000"

deploy/content-security/deployment.yaml

@@ -0,0 +1,75 @@
+# ============================================================
+# Deployment: content-security-service
+# Content security microservice for UGC moderation.
+# Shared by multiple mini-games via game_id tenant isolation.
+# ============================================================
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: content-security-service
+  namespace: content-security
+  labels:
+    app: content-security-service
+    app.kubernetes.io/part-of: content-security
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: content-security-service
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: content-security-service
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "3000"
+        prometheus.io/path: "/metrics"
+    spec:
+      containers:
+        - name: content-security-service
+          image: content-security-service:latest
+          imagePullPolicy: Never
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: content-security-config
+            - secretRef:
+                name: content-security-secrets
+          livenessProbe:
+            httpGet:
+              path: /api/health
+              port: 3000
+            initialDelaySeconds: 15
+            periodSeconds: 15
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /api/health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 2
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 256Mi
+          volumeMounts:
+            - name: audit-logs
+              mountPath: /app/logs/audit
+      volumes:
+        - name: audit-logs
+          emptyDir: {}
+      terminationGracePeriodSeconds: 15

deploy/content-security/namespace-label-note.yaml

@@ -0,0 +1,8 @@
+# ============================================================
+# Namespace label patch for tankwar
+# This adds the kubernetes.io/metadata.name label to the tankwar
+# namespace so that NetworkPolicy can reference it.
+# Apply: kubectl label namespace tankwar kubernetes.io/metadata.name=tankwar --overwrite
+# ============================================================
+# Note: Kubernetes 1.21+ automatically adds this label to namespaces.
+# Verify with: kubectl get namespace tankwar --show-labels

deploy/content-security/namespace.yaml

@@ -0,0 +1,12 @@
+# ============================================================
+# Namespace: content-security
+# Independent namespace for content security service,
+# shared by multiple mini-games.
+# ============================================================
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: content-security
+  labels:
+    app.kubernetes.io/part-of: content-security
+    app.kubernetes.io/managed-by: kubectl

deploy/content-security/networkpolicy.yaml

@@ -0,0 +1,40 @@
+# ============================================================
+# NetworkPolicy: content-security-policy
+# Restrict access to content security service:
+# - Only allow ingress from game namespaces (tankwar, etc.)
+# - Allow egress to WeChat APIs and DNS
+# ============================================================
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: content-security-ingress-policy
+  namespace: content-security
+spec:
+  podSelector:
+    matchLabels:
+      app: content-security-service
+  policyTypes:
+    - Ingress
+  ingress:
+    # Allow from tankwar namespace
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: tankwar
+      ports:
+        - protocol: TCP
+          port: 3000
+    # Allow from any namespace with the game-client label
+    - from:
+        - podSelector:
+            matchLabels:
+              content-security-client: "true"
+      ports:
+        - protocol: TCP
+          port: 3000
+    # Allow health checks from within same namespace
+    - from:
+        - podSelector: {}
+      ports:
+        - protocol: TCP
+          port: 3000

deploy/content-security/secret.yaml

@@ -0,0 +1,19 @@
+# ============================================================
+# Secret: content-security-secrets
+# WeChat Mini Program credentials for content security APIs.
+# IMPORTANT: In production, use SealedSecret or external secret
+# management (e.g., HashiCorp Vault) instead of plain Secrets.
+# ============================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: content-security-secrets
+  namespace: content-security
+  labels:
+    app: content-security-service
+type: Opaque
+stringData:
+  # WeChat Mini Program App ID (replace with actual value)
+  WX_APPID: "wx3527fe2fd49db523"
+  # WeChat Mini Program App Secret (replace with actual value)
+  WX_APPSECRET: "a8e92749ccf2f4bc2667833812a7bf4e"

deploy/content-security/service.yaml

@@ -0,0 +1,43 @@
+# ============================================================
+# Service: content-security-service
+# ClusterIP service for internal access from game namespaces.
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: content-security-service
+  namespace: content-security
+  labels:
+    app: content-security-service
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app: content-security-service
+---
+# ============================================================
+# Service: content-security-nodeport
+# NodePort service for external access (development/debug only).
+# Should be removed or restricted in production.
+# ============================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: content-security-nodeport
+  namespace: content-security
+  labels:
+    app: content-security-service
+spec:
+  type: NodePort
+  ports:
+    - name: http
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+      nodePort: 30082
+  selector:
+    app: content-security-service