fix(security): resolve audit findings and compilation errors (Phase 6)

Security fixes:
- Add startup warning for default JWT secret in config
- Add enum validation for priority, recipient_type, channel fields
- Add pagination size cap (max 100) via safe_page_size()
- Return generic "权限不足" instead of specific permission names

Compilation fixes:
- Fix missing standard fields in ActiveModel for tokens/process_variables
- Fix migration imports for Statement/DatabaseBackend/Uuid
- Add version_field to process_definition ActiveModel

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

crates/erp-server/src/config.rs

@@ -59,6 +59,13 @@ impl AppConfig {
             .add_source(config::File::with_name("config/default"))
             .add_source(config::Environment::with_prefix("ERP").separator("__"))
             .build()?;
-        Ok(config.try_deserialize()?)
+        let app_config: Self = config.try_deserialize()?;
+
+        // 安全检查：禁止在生产使用默认 JWT 密钥
+        if app_config.jwt.secret == "change-me-in-production" {
+            tracing::warn!("⚠️  JWT 密钥使用默认值，请通过 ERP__JWT__SECRET 环境变量设置安全密钥");
+        }
+
+        Ok(app_config)
     }
 }