fix: 全局权限优化 — 7 项问题修复

1. 菜单权限修复：补充 10 个菜单的 permission 字段 + 修复 menu_service
   回退逻辑（admin 直接跳过过滤，非 admin 无关联则不显示）+ 收紧前端过滤
2. 管理员重置密码：新增 POST /users/{id}/reset-password 端点 + 前端按钮
3. 告警处理人姓名：AlertResponse 添加 acknowledged_by_name 字段
4. Tab 权限过滤：PatientDetail 6 个 Tab 按权限过滤 + 状态字段 Tooltip
5. 消息中心 UI：添加 Popconfirm/AuthButton，移除 inline isDark

crates/erp-auth/src/service/user_service.rs

@@ -434,6 +434,67 @@ impl UserService {
         result
     }
 
+    /// 管理员重置指定用户密码。
+    pub async fn reset_password(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        operator_id: Uuid,
+        new_password: &str,
+        version: i32,
+        db: &sea_orm::DatabaseConnection,
+    ) -> AuthResult<()> {
+        // 1. 验证用户存在且属于当前租户
+        let user_model = user::Entity::find()
+            .filter(user::Column::Id.eq(user_id))
+            .filter(user::Column::TenantId.eq(tenant_id))
+            .filter(user::Column::DeletedAt.is_null())
+            .one(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?
+            .ok_or_else(|| AuthError::Validation("用户不存在".to_string()))?;
+
+        let _next_version = check_version(version, user_model.version)
+            .map_err(|_| AuthError::Validation("版本冲突，请刷新后重试".to_string()))?;
+
+        // 2. 查找密码凭证
+        let cred = user_credential::Entity::find()
+            .filter(user_credential::Column::UserId.eq(user_id))
+            .filter(user_credential::Column::TenantId.eq(tenant_id))
+            .filter(user_credential::Column::CredentialType.eq("password"))
+            .filter(user_credential::Column::DeletedAt.is_null())
+            .one(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?
+            .ok_or_else(|| AuthError::Validation("用户凭证不存在".to_string()))?;
+
+        // 3. 哈希新密码并更新凭证
+        let new_hash = password::hash_password(new_password)?;
+        let cred_version = cred.version;
+        let mut cred_active: user_credential::ActiveModel = cred.into();
+        cred_active.credential_data = Set(Some(serde_json::json!({ "hash": new_hash })));
+        cred_active.updated_at = Set(Utc::now());
+        cred_active.updated_by = Set(operator_id);
+        cred_active.version = Set(cred_version + 1);
+        cred_active
+            .update(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        // 4. 吊销所有 refresh token
+        super::token_service::TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await?;
+
+        // 5. 审计日志
+        audit_service::record(
+            AuditLog::new(tenant_id, Some(operator_id), "user.reset_password", "user")
+                .with_resource_id(user_id),
+            db,
+        )
+        .await;
+
+        tracing::info!(user_id = %user_id, operator_id = %operator_id, "Password reset by admin");
+        Ok(())
+    }
+
     /// Fetch role details for a single user, returning RoleResp DTOs.
     async fn fetch_user_role_resps(
         user_id: Uuid,