fix(security): Q2 Chunk 1 — 密钥外部化与启动强制检查

- default.toml 敏感值改为占位符，强制通过环境变量注入
- 启动时拒绝默认 JWT 密钥和数据库 URL
- 移除 super_admin_password 硬编码 fallback
- 移除 From<AppError> for AuthError 反向映射，5 处调用点改为显式 map_err
- .gitignore 添加 .test_token 和测试产物

crates/erp-server/config/default.toml

@@ -3,7 +3,7 @@ host = "0.0.0.0"
 port = 3000
 
 [database]
-url = "postgres://erp:erp_dev_2024@localhost:5432/erp"
+url = "__MUST_SET_VIA_ENV__"
 max_connections = 20
 min_connections = 5
 
@@ -11,12 +11,12 @@ min_connections = 5
 url = "redis://localhost:6379"
 
 [jwt]
-secret = "change-me-in-production"
+secret = "__MUST_SET_VIA_ENV__"
 access_token_ttl = "15m"
 refresh_token_ttl = "7d"
 
 [auth]
-super_admin_password = "Admin@2026"
+super_admin_password = "__MUST_SET_VIA_ENV__"
 
 [log]
 level = "info"

crates/erp-server/src/main.rs

@@ -186,6 +186,20 @@ async fn main() -> anyhow::Result<()> {
     // Load config
     let config = AppConfig::load()?;
 
+    // ── 安全检查：拒绝默认密钥 ──────────────────────────
+    if config.jwt.secret == "__MUST_SET_VIA_ENV__" || config.jwt.secret == "change-me-in-production" {
+        tracing::error!(
+            "JWT 密钥为默认值，拒绝启动。请设置环境变量 ERP__JWT__SECRET"
+        );
+        std::process::exit(1);
+    }
+    if config.database.url == "__MUST_SET_VIA_ENV__" {
+        tracing::error!(
+            "数据库 URL 为默认占位值，拒绝启动。请设置环境变量 ERP__DATABASE__URL"
+        );
+        std::process::exit(1);
+    }
+
     // Initialize tracing
     tracing_subscriber::fmt()
         .with_env_filter(