fix: 全局权限优化 — 7 项问题修复

1. 菜单权限修复：补充 10 个菜单的 permission 字段 + 修复 menu_service
   回退逻辑（admin 直接跳过过滤，非 admin 无关联则不显示）+ 收紧前端过滤
2. 管理员重置密码：新增 POST /users/{id}/reset-password 端点 + 前端按钮
3. 告警处理人姓名：AlertResponse 添加 acknowledged_by_name 字段
4. Tab 权限过滤：PatientDetail 6 个 Tab 按权限过滤 + 状态字段 Tooltip
5. 消息中心 UI：添加 Popconfirm/AuthButton，移除 inline isDark

crates/erp-server/migration/src/lib.rs

@@ -147,6 +147,7 @@ mod m20260512_000142_seed_copilot_rules;
 mod m20260512_000143_seed_copilot_alert_rules;
 mod m20260513_000144_enforce_version_optimistic_lock;
 mod m20260513_000145_seed_missing_permissions;
+mod m20260515_000146_seed_menu_permissions_phase2;
 
 pub struct Migrator;
 
@@ -301,6 +302,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260512_000143_seed_copilot_alert_rules::Migration),
             Box::new(m20260513_000144_enforce_version_optimistic_lock::Migration),
             Box::new(m20260513_000145_seed_missing_permissions::Migration),
+            Box::new(m20260515_000146_seed_menu_permissions_phase2::Migration),
         ]
     }
 }

crates/erp-server/migration/src/m20260515_000146_seed_menu_permissions_phase2.rs

@@ -0,0 +1,68 @@
+//! 补充基础模块菜单的 permission 字段（Phase 2）
+//!
+//! 以下菜单在初始 seed 时 permission 为 NULL，导致前端菜单过滤逻辑
+//! `if (!m.permission) return true` 放行了这些菜单，使无权限用户也能看到。
+
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        let db = manager.get_connection();
+
+        let menu_perms: &[(&str, &str)] = &[
+            // 基础模块菜单
+            ("/", "health.dashboard.list"),          // 工作台
+            ("/users", "user.list"),                 // 用户管理
+            ("/roles", "permission.list"),           // 权限管理
+            ("/organizations", "organization.list"), // 组织架构
+            ("/workflow", "workflow.list"),          // 工作流
+            ("/messages", "message.list"),           // 消息中心
+            ("/settings", "config.settings.list"),   // 系统设置
+            ("/plugins/admin", "plugin.list"),       // 插件管理
+            // 健康模块遗漏
+            ("/health/statistics", "health.stats.list"), // 统计报表
+            ("/health/action-inbox", "health.action-inbox.list"), // 行动收件箱
+        ];
+
+        for &(path, perm) in menu_perms {
+            db.execute_unprepared(&format!(
+                "UPDATE menus SET permission = '{perm}', updated_at = NOW() \
+                 WHERE path = '{path}' AND deleted_at IS NULL AND (permission IS NULL OR permission = '')"
+            ))
+            .await?;
+        }
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        let db = manager.get_connection();
+
+        let paths: &[&str] = &[
+            "/",
+            "/users",
+            "/roles",
+            "/organizations",
+            "/workflow",
+            "/messages",
+            "/settings",
+            "/plugins/admin",
+            "/health/statistics",
+            "/health/action-inbox",
+        ];
+
+        for &path in paths {
+            db.execute_unprepared(&format!(
+                "UPDATE menus SET permission = NULL, updated_at = NOW() \
+                 WHERE path = '{path}' AND deleted_at IS NULL"
+            ))
+            .await?;
+        }
+
+        Ok(())
+    }
+}