feat(miniprogram): Token XOR 混淆存储

- 新增 secure-storage 工具：XOR + Base64 混淆 token 存储
- request.ts 和 auth.ts 中所有 access_token/refresh_token 存取
  均通过 secure-storage，避免明文暴露在 Storage 中

apps/miniprogram/src/services/request.ts

@@ -1,4 +1,5 @@
 import Taro from '@tarojs/taro';
+import { secureGet, secureSet, secureRemove } from '@/utils/secure-storage';
 
 const BASE_URL = process.env.TARO_APP_API_URL || 'http://localhost:3000/api/v1';
 
@@ -10,7 +11,7 @@ interface ApiResponse<T> {
 
 async function getHeaders(): Promise<Record<string, string>> {
   const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-  const token = Taro.getStorageSync('access_token');
+  const token = secureGet('access_token');
   if (token) headers['Authorization'] = `Bearer ${token}`;
   const patientId = Taro.getStorageSync('current_patient_id');
   if (patientId) headers['X-Patient-Id'] = patientId;
@@ -20,7 +21,7 @@ async function getHeaders(): Promise<Record<string, string>> {
 }
 
 async function tryRefreshToken(): Promise<boolean> {
-  const refreshToken = Taro.getStorageSync('refresh_token');
+  const refreshToken = secureGet('refresh_token');
   if (!refreshToken) return false;
   try {
     const res = await Taro.request({
@@ -29,15 +30,15 @@ async function tryRefreshToken(): Promise<boolean> {
       data: { refresh_token: refreshToken },
     });
     if (res.statusCode === 200 && res.data?.success) {
-      Taro.setStorageSync('access_token', res.data.data.access_token);
-      Taro.setStorageSync('refresh_token', res.data.data.refresh_token);
+      secureSet('access_token', res.data.data.access_token);
+      secureSet('refresh_token', res.data.data.refresh_token);
       return true;
     }
   } catch (err) {
     console.error('[tryRefreshToken] token 刷新失败:', err);
   }
-  Taro.removeStorageSync('access_token');
-  Taro.removeStorageSync('refresh_token');
+  secureRemove('access_token');
+  secureRemove('refresh_token');
   return false;
 }