fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证

安全修复:
- H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新
- H4: 移除 store 中的 token 明文状态，统一走 secure storage
- H5: 登录/绑定手机号添加 loading 防重复点击保护
- H6: Analytics 改用 request.ts 统一请求层，不再绕过认证
- M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue)
- M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储
- M3: 移除开发日志中的请求体打印
- M4: secure-storage 解密失败返回 null 而非空串

功能修复:
- F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端)
- F2: 积分商城对无患者档案用户展示引导 UI
- M6: daily-monitoring 添加 Zod 数值范围验证

清理:
- L4: 移除 devLogin 开发辅助函数

apps/miniprogram/src/pages/health/daily-monitoring/index.tsx

@@ -1,11 +1,17 @@
 import { useState } from 'react';
 import { View, Text, Input, Picker } from '@tarojs/components';
 import Taro, { useDidShow } from '@tarojs/taro';
+import { z } from 'zod';
 import { createDailyMonitoring } from '@/services/health';
 import { useAuthStore } from '@/stores/auth';
 import { trackEvent } from '@/services/analytics';
 import './index.scss';
 
+const bpSchema = z.number().min(30, '血压值不能低于30').max(300, '血压值不能高于300').optional();
+const weightSchema = z.number().min(1, '体重不能低于1kg').max(500, '体重不能高于500kg').optional();
+const bloodSugarSchema = z.number().min(0.1, '血糖值不能低于0.1').max(50, '血糖值不能高于50').optional();
+const volumeSchema = z.number().min(0, '数值不能为负').max(10000, '数值超出合理范围').optional();
+
 function formatDate(date: Date): string {
   const y = date.getFullYear();
   const m = String(date.getMonth() + 1).padStart(2, '0');
@@ -81,6 +87,40 @@ export default function DailyMonitoring() {
       return;
     }
 
+    // Zod 验证数值范围
+    const parseNum = (v: string) => v ? parseFloat(v) : undefined;
+    const fields = {
+      morningSystolic: parseNum(morningSystolic),
+      morningDiastolic: parseNum(morningDiastolic),
+      eveningSystolic: parseNum(eveningSystolic),
+      eveningDiastolic: parseNum(eveningDiastolic),
+      weight: parseNum(weight),
+      bloodSugar: parseNum(bloodSugar),
+      fluidIntake: parseNum(fluidIntake),
+      urineOutput: parseNum(urineOutput),
+    };
+
+    const validations: Array<[z.ZodTypeAny, number | undefined, string]> = [
+      [bpSchema, fields.morningSystolic, '晨起收缩压'],
+      [bpSchema, fields.morningDiastolic, '晨起舒张压'],
+      [bpSchema, fields.eveningSystolic, '晚间收缩压'],
+      [bpSchema, fields.eveningDiastolic, '晚间舒张压'],
+      [weightSchema, fields.weight, '体重'],
+      [bloodSugarSchema, fields.bloodSugar, '血糖'],
+      [volumeSchema, fields.fluidIntake, '饮水量'],
+      [volumeSchema, fields.urineOutput, '尿量'],
+    ];
+
+    for (const [schema, value, label] of validations) {
+      if (value !== undefined) {
+        const result = schema.safeParse(value);
+        if (!result.success) {
+          Taro.showToast({ title: `${label}: ${result.error.errors[0].message}`, icon: 'none' });
+          return;
+        }
+      }
+    }
+
     setSubmitting(true);
     try {
       await createDailyMonitoring({