fix(security): Q2 Chunk 1 — 密钥外部化与启动强制检查

- default.toml 敏感值改为占位符，强制通过环境变量注入
- 启动时拒绝默认 JWT 密钥和数据库 URL
- 移除 super_admin_password 硬编码 fallback
- 移除 From<AppError> for AuthError 反向映射，5 处调用点改为显式 map_err
- .gitignore 添加 .test_token 和测试产物

crates/erp-auth/src/error.rs

@@ -43,15 +43,6 @@ impl From<AuthError> for AppError {
     }
 }
 
-impl From<AppError> for AuthError {
-    fn from(err: AppError) -> Self {
-        match err {
-            AppError::VersionMismatch => AuthError::VersionMismatch,
-            other => AuthError::Validation(other.to_string()),
-        }
-    }
-}
-
 pub type AuthResult<T> = Result<T, AuthError>;
 
 #[cfg(test)]
@@ -104,28 +95,4 @@ mod tests {
         }
     }
 
-    #[test]
-    fn auth_error_version_mismatch_roundtrip() {
-        // AuthError::VersionMismatch -> AppError::VersionMismatch -> AuthError::VersionMismatch
-        let app: AppError = AuthError::VersionMismatch.into();
-        match app {
-            AppError::VersionMismatch => {}
-            other => panic!("Expected VersionMismatch, got {:?}", other),
-        }
-        // And back
-        let auth: AuthError = AppError::VersionMismatch.into();
-        match auth {
-            AuthError::VersionMismatch => {}
-            other => panic!("Expected VersionMismatch, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn app_error_other_maps_to_auth_validation() {
-        let auth: AuthError = AppError::NotFound("not found".to_string()).into();
-        match auth {
-            AuthError::Validation(msg) => assert!(msg.contains("not found")),
-            other => panic!("Expected Validation, got {:?}", other),
-        }
-    }
 }