fix: 全系统审计问题修复 — 安全/数据完整性/功能缺陷/UX (Phase 1-5)

Phase 1 安全热修复:
- P0-1: /uploads 文件服务添加 JWT 认证中间件（支持 header + query param）
- P0-2: analytics/batch 路由从 public 移到 protected_routes
- P0-3: plugin engine SQL 注入修复（format! → 参数化查询）
- P0-new: stats_service compute_avg_field 字段白名单 + FLOAT8 类型转换

Phase 2 数据完整性:
- P0-4: 组织删除级联检查（添加部门存在性校验）
- P0-5: 部门删除级联检查（添加岗位 + 用户存在性校验）
- P0-8: workflow on_tenant_deleted 实现 5 实体批量删除
- P0-7: 并行网关 race condition 修复（consumed → completed 原子转换）

Phase 3 P1 后端 Bug:
- P1-12: plugin host 表名消毒（使用 sanitize_identifier）
- P1-10: workflow deprecated 状态转换（published → deprecated）
- P1-11: workflow 更新验证条件（nodes/edges 任一变化即验证）
- P0-9: 小程序 .gitignore 添加 .env/.env.*/日志
- P1-19: 小程序加密密钥替换为 64 字符强密钥

Phase 4 消息模块:
- P1-5: 通知偏好 GET 路由 + handler
- P1-4: 消息模板 update/delete CRUD + version
- P2-8: mark_all_read SQL 添加 version + 1
- P2-7: markAsRead 改为乐观更新 + 失败回滚

Phase 5 前端修复:
- P2-9: 通知面板点击导航到 /messages
- P2-1: 随访任务患者名批量 ID 解析（替代 UUID 显示）
- P2-5: AppointmentList 分离 patient_id/doctor_id 分别调用 API
- P2-17: PluginMarket installed 字段修正（name → id）
- P3-3: 路由标题 fallback 改为模式匹配（支持 :id 动态路径）
- P2-15: workflow updateDefinition 添加 version 字段
- P3-9: Kanban 版本使用记录实际 version
- P2-21: secure-storage 生产环境无密钥时阻止存储
- P3-11: destroyOnHidden → destroyOnClose
- P3-13: PendingTasks 深色模式 Tag 颜色适配

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

crates/erp-server/src/main.rs

@@ -494,16 +494,15 @@ async fn main() -> anyhow::Result<()> {
             "/docs/openapi.json",
             axum::routing::get(handlers::openapi::openapi_spec),
         )
-        .route(
-            "/analytics/batch",
-            axum::routing::post(handlers::analytics::batch),
-        )
         .layer(axum::middleware::from_fn_with_state(
             state.clone(),
             middleware::rate_limit::rate_limit_by_ip,
         ))
         .with_state(state.clone());
 
+    // Clone jwt_secret for upload auth before protected_routes closure moves it
+    let secret_for_uploads = jwt_secret.clone();
+
     // Protected routes (JWT authentication required)
     // User-based rate limiting (100 req/min) applied after JWT auth
     let protected_routes = erp_auth::AuthModule::protected_routes()
@@ -522,6 +521,10 @@ async fn main() -> anyhow::Result<()> {
             "/admin/tenants/{id}/rotate-key",
             axum::routing::post(handlers::crypto_admin::rotate_tenant_key),
         )
+        .route(
+            "/analytics/batch",
+            axum::routing::post(handlers::analytics::batch),
+        )
         .layer(axum::middleware::from_fn_with_state(
             state.clone(),
             middleware::rate_limit::rate_limit_by_user,
@@ -540,9 +543,15 @@ async fn main() -> anyhow::Result<()> {
     // All API routes are nested under /api/v1
     let cors = build_cors_layer(&state.config.cors.allowed_origins);
     let upload_dir = state.config.storage.upload_dir.clone();
+    let uploads_router = Router::new()
+        .fallback_service(ServeDir::new(&upload_dir))
+        .layer(axum_middleware::from_fn(move |req, next| {
+            let secret = secret_for_uploads.clone();
+            async move { upload_auth_middleware(secret, req, next).await }
+        }));
     let app = Router::new()
         .nest("/api/v1", public_routes.merge(protected_routes))
-        .nest_service("/uploads", ServeDir::new(&upload_dir))
+        .nest("/uploads", uploads_router)
         .layer(cors);
 
     let addr = format!("{}:{}", host, port);
@@ -560,6 +569,48 @@ async fn main() -> anyhow::Result<()> {
     Ok(())
 }
 
+/// JWT auth middleware for `/uploads` file serving.
+///
+/// Accepts token from either `Authorization: Bearer <token>` header
+/// or `?token=<token>` query parameter (for browser `<img>` / direct downloads).
+async fn upload_auth_middleware(
+    jwt_secret: String,
+    req: axum::extract::Request,
+    next: axum::middleware::Next,
+) -> Result<axum::response::Response, erp_core::error::AppError> {
+    use erp_auth::service::token_service::TokenService;
+
+    let token = req
+        .headers()
+        .get(axum::http::header::AUTHORIZATION)
+        .and_then(|v| v.to_str().ok())
+        .and_then(|v| v.strip_prefix("Bearer "))
+        .map(|s| s.to_string())
+        .or_else(|| {
+            req.uri().query().and_then(|q| {
+                q.split('&').find_map(|pair| {
+                    let (k, v) = pair.split_once('=').unwrap_or((pair, ""));
+                    if k == "token" && !v.is_empty() {
+                        Some(v.to_string())
+                    } else {
+                        None
+                    }
+                })
+            })
+        });
+
+    let token = token.ok_or(erp_core::error::AppError::Unauthorized)?;
+
+    let claims = TokenService::decode_token(&token, &jwt_secret)
+        .map_err(|_| erp_core::error::AppError::Unauthorized)?;
+
+    if claims.token_type != "access" {
+        return Err(erp_core::error::AppError::Unauthorized);
+    }
+
+    Ok(next.run(req).await)
+}
+
 /// Build a CORS layer from the comma-separated allowed origins config.
 ///
 /// If the config is "*", allows all origins (development mode).