fix(health): 修复 5 角色深度测试发现的权限越权和告警端点缺失

- auth: token_service 查询 role_permissions/user_roles 添加 deleted_at 过滤，
  修复软删除的权限仍被加载到 JWT 的越权漏洞
- health: 新增 GET /health/alerts/{id} 告警详情端点（含 handler + service + 路由）
- web: AlertList 操作按钮增加 active 状态判断，修复按钮不显示
- migration: 新增 000127 清理 doctor 角色多余的 health-data.manage/ai.analysis.manage

crates/erp-health/src/handler/alert_handler.rs

@@ -49,6 +49,20 @@ where
     })))
 }
 
+pub async fn get_alert<S>(
+    State(state): State<HealthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<impl IntoResponse, AppError>
+where
+    HealthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "health.alerts.list")?;
+    let alert = alert_service::get_alert(&state, ctx.tenant_id, id).await?;
+    Ok(axum::Json(ApiResponse::ok(alert)))
+}
+
 pub async fn acknowledge<S>(
     State(state): State<HealthState>,
     Extension(ctx): Extension<TenantContext>,