feat: initialize ERP base platform (extracted from HMS)

- Stripped 11 business crates (health, ai, dialysis, plugins)
- Cleaned AppState, AppConfig, main.rs from business coupling
- Reduced migrations from 169 to 53 (base-only)
- Removed health_provider trait from erp-core
- Removed business integration tests
- Removed gateway rate limiting middleware
- Base capabilities: auth, RBAC, JWT, config, workflow, message, plugin, audit, crypto, RLS, multi-tenant

Cargo check: OK
Cargo test: OK

docker/backup.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# PostgreSQL 自动备份脚本（含加密）
+# 用法:
+#   手动: ./docker/backup.sh
+#   自动: 由 docker compose backup 服务每日 02:00 执行
+#
+# 加密方式（二选一）:
+#   BACKUP_PASSPHRASE — 使用 openssl AES-256-CBC 对称加密（无额外依赖）
+#   GPG_RECIPIENT     — 使用 GPG 非对称加密（需预置公钥）
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/backups}"
+PG_HOST="${PGHOST:-postgres}"
+PG_PORT="${PGPORT:-5432}"
+PG_USER="${PGUSER:-erp}"
+PG_DB="${PGDATABASE:-erp}"
+KEEP_DAYS="${KEEP_DAYS:-7}"
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+FILENAME="${PG_DB}_${TIMESTAMP}.sql.gz"
+ENCRYPTED_FILENAME="${FILENAME}.enc"
+FILEPATH="${BACKUP_DIR}/${FILENAME}"
+ENCRYPTED_FILEPATH="${BACKUP_DIR}/${ENCRYPTED_FILENAME}"
+
+mkdir -p "${BACKUP_DIR}"
+
+echo "[$(date -Iseconds)] 开始备份 ${PG_DB} → ${FILEPATH}"
+
+if pg_dump \
+    -h "${PG_HOST}" \
+    -p "${PG_PORT}" \
+    -U "${PG_USER}" \
+    -d "${PG_DB}" \
+    --format=plain \
+    --no-owner \
+    --no-privileges \
+    | gzip > "${FILEPATH}"; then
+    SIZE=$(du -h "${FILEPATH}" | cut -f1)
+    echo "[$(date -Iseconds)] 备份完成: ${FILENAME} (${SIZE})"
+else
+    echo "[$(date -Iseconds)] 备份失败！" >&2
+    rm -f "${FILEPATH}"
+    exit 1
+fi
+
+# ── 加密备份 ──
+if [ -n "${BACKUP_PASSPHRASE:-}" ]; then
+    echo "[$(date -Iseconds)] 使用 AES-256-CBC 加密备份..."
+    if openssl enc -aes-256-cbc -salt -pbkdf2 -pass "pass:${BACKUP_PASSPHRASE}" \
+        -in "${FILEPATH}" -out "${ENCRYPTED_FILEPATH}"; then
+        rm -f "${FILEPATH}"
+        ENC_SIZE=$(du -h "${ENCRYPTED_FILEPATH}" | cut -f1)
+        echo "[$(date -Iseconds)] 加密完成: ${ENCRYPTED_FILENAME} (${ENC_SIZE})"
+    else
+        echo "[$(date -Iseconds)] 加密失败！保留未加密备份" >&2
+        rm -f "${ENCRYPTED_FILEPATH}"
+    fi
+elif [ -n "${GPG_RECIPIENT:-}" ]; then
+    echo "[$(date -Iseconds)] 使用 GPG 加密备份..."
+    if gpg --batch --yes --encrypt --recipient "${GPG_RECIPIENT}" "${FILEPATH}"; then
+        rm -f "${FILEPATH}"
+        ENC_SIZE=$(du -h "${ENCRYPTED_FILEPATH}" | cut -f1)
+        echo "[$(date -Iseconds)] 加密完成: ${ENCRYPTED_FILENAME} (${ENC_SIZE})"
+    else
+        echo "[$(date -Iseconds)] GPG 加密失败！保留未加密备份" >&2
+        rm -f "${FILEPATH}.gpg"
+    fi
+else
+    echo "[$(date -Iseconds)] 警告: 未设置 BACKUP_PASSPHRASE 或 GPG_RECIPIENT，备份未加密！" >&2
+fi
+
+# ── 备份完整性校验 ──
+LATEST_FILE=$(ls -t "${BACKUP_DIR}/${PG_DB}"_*.sql.gz* 2>/dev/null | head -1)
+if [ -n "${LATEST_FILE}" ] && [ -f "${LATEST_FILE}" ]; then
+    if [[ "${LATEST_FILE}" == *.enc ]]; then
+        echo "[$(date -Iseconds)] 加密备份文件存在: $(basename "${LATEST_FILE}")"
+    elif gzip -t "${LATEST_FILE}" 2>/dev/null; then
+        echo "[$(date -Iseconds)] 备份完整性校验通过"
+    else
+        echo "[$(date -Iseconds)] 警告: 备份文件可能损坏: ${LATEST_FILE}" >&2
+    fi
+fi
+
+# ── 清理过期备份 ──
+DELETED=$(find "${BACKUP_DIR}" -name "${PG_DB}_*.sql.gz*" -mtime +${KEEP_DAYS} -delete -print | wc -l)
+if [ "${DELETED}" -gt 0 ]; then
+    echo "[$(date -Iseconds)] 已清理 ${DELETED} 个过期备份（>${KEEP_DAYS}天）"
+fi
+
+# ── 恢复指引 ──
+echo ""
+echo "恢复方法:"
+echo "  # 解密（如加密）:"
+echo "  openssl enc -d -aes-256-cbc -pbkdf2 -pass pass:\$BACKUP_PASSPHRASE -in ${ENCRYPTED_FILEPATH} -out ${FILEPATH}"
+echo "  # 恢复:"
+echo "  gunzip -c ${FILEPATH} | psql -h \$PGHOST -U \$PGUSER -d \$PGDB"