docs: update CLAUDE.md with security, MQTT, and lock improvements

CLAUDE.md

 DRUID_PASSWORD=...
 ```
 
-Spring Boot config uses `${ENV_NAME:default}` syntax for all sensitive values.
+Spring Boot config uses `${ENV_NAME:default}` syntax for non-sensitive defaults only. **MySQL and Druid passwords have no fallback defaults** — missing env vars will cause startup failures.
 
 ## IoT Data Flow
 
     ├─→ MySQL (sys_controller, sys_device tables)
     └─→ TDengine (time-series telemetry tables)
 
-VehicleSyncTask (@Scheduled every 30s)
+VehicleSyncTask (@Scheduled every 30s, Redis distributed lock)
     ↓ reads Redis DSB:* keys
     ├─→ syncs to sysrealtime (MySQL)
     ├─→ updates vehicle GPS in sys_car (MySQL)
     ├─→ updates sys_indicators KPIs (MySQL)
-    └─→ triggers external webhook
+    └─→ triggers external webhook (URL from `iot.mqtt.vehicle-trigger-url` config)
 ```
 
 ## MQTT Consumers
 
-All MQTT consumers extend `AbstractMqttConsumer` which provides:
-- Connection management (reconnect, keepalive)
-- `checkServerAvailability()` with retry limits
+Two base classes handle MQTT connections:
+
+**`AbstractMqttConsumer`** (single-topic consumers):
+- Connection management with `synchronized` reconnect/disconnect
+- Broken-state MqttClient detection and recreation on reconnect
 - Graceful shutdown via `@PreDestroy`
 
+**`AbstractDynamicMqttConsumer`** (dynamic multi-topic consumers):
+- Incremental topic subscription refresh (add/remove only changed topics)
+- Batch subscribe with retry logic
+- Connection health checks before subscribe
+
 Implementations:
-- `MqttGenericConsumer` — General telemetry ingestion
-- `MqttStatusConsumer` — Device status messages
-- `MqttFaultConsumer` — Fault/alarm messages
+- `MqttGenericConsumer` — General telemetry ingestion (single-topic)
+- `MqttStatusConsumer` — Device status messages (single-topic)
+- `MqttFaultConsumer` — Fault/alarm messages (single-topic)
+- `MqttDynamicConsumer` — Dynamic topic subscription (extends AbstractDynamicMqttConsumer)
+- `MqttChargeStationConsumer` — Charge station telemetry (extends AbstractDynamicMqttConsumer)
 
 ## Deployment
 
 - Password max retry: 5 attempts, lock time: 10 minutes
 - XSS filtering enabled
 - SQL injection prevention: field whitelist + parameterized queries in TDengineService
-- Table name validation: regex `^[a-zA-Z_][a-zA-Z0-9_]*$` in SysrealtimeService
+- Table name validation: regex `^[a-zA-Z_][a-zA-Z0-9_]*$` in SysControllerService, SysFaultService, SysAlarmService
+- Input validation at MQTT consumer boundaries (null/empty checks on controllerId, path, timestamp, deviceId)
+- No hardcoded password fallbacks in config files — env vars required at startup
 
 ## API Response Format
 
 - **MyBatis mappers are Java interfaces** with XML mapping files in `src/main/resources/mapper/`
 - **Service naming**: Custom IoT services often use concrete classes directly (no `I` prefix)
 - **TDengine SQL**: Built with string concatenation but protected by field whitelist (`ALLOWED_COLUMNS`) and `escapeValue()`
-- **No distributed locks**: `VehicleSyncTask` scheduled tasks may duplicate in clustered environments
+- **Distributed locks**: `VehicleSyncTask` uses Redis `SET NX` for per-method distributed locking (30s delay, 60s TTL)
+- **TDengine cache bounds**: `stableColumnCache` capped at 1000 entries to prevent unbounded growth
 - **Alibaba Maven mirror** (`https://maven.aliyun.com/repository/public`) configured in root `pom.xml`