fix(security): P0 安全修复 — Access Token 吊销 + OpenAPI 保护 + RLS 补齐 + CI 加固 + 测试修复

P0-5: Access Token 吊销机制
- 新增内存 DashMap 黑名单（token_hash → exp），支持单 token 吊销
- 密码修改/登出时自动清除用户权限缓存，强制重新认证
- 惰性清理过期条目，防止内存无限增长

P0-6: OpenAPI 端点安全
- 生产构建返回 404，仅 cfg(debug_assertions) 模式可用
- 防止 385+ API 端点 schema 对外暴露

P0-4: RLS 策略补充迁移 (m000169)
- 幂等遍历所有含 tenant_id 的表，补齐缺失的 RLS 策略
- 覆盖 m000088 之后创建的约 20 张新表

P0-3: CI 安全加固
- 移除 CI 中硬编码密码 123123，改用 postgres
- 保持 cargo audit / npm-audit 严格门禁

P0-7: AI prompt 集成测试修复
- get_active_prompt 改按 analysis_type 查找而非 name
- list_prompts 过滤参数从 category 改为 analysis_type
- 167 集成测试全部通过（原 164 passed / 3 failed）

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
         image: postgres:16
         env:
           POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: 123123
+          POSTGRES_PASSWORD: postgres
           POSTGRES_DB: postgres
         ports:
           - 5432:5432
@@ -28,9 +28,9 @@ jobs:
           --health-retries 5
 
     env:
-      TEST_DB_URL: postgres://postgres:123123@localhost:5432/postgres
+      TEST_DB_URL: postgres://postgres:postgres@localhost:5432/postgres
       JWT_SECRET: test-jwt-secret-for-ci
-      DATABASE_URL: postgres://postgres:123123@localhost:5432/erp_ci
+      DATABASE_URL: postgres://postgres:postgres@localhost:5432/erp_ci
 
     steps:
       - uses: actions/checkout@v4

crates/erp-auth/src/middleware/jwt_auth.rs

@@ -19,8 +19,54 @@ type ScopeCacheEntry = (DeptIds, DataScopes, std::time::Instant);
 static USER_SCOPE_CACHE: std::sync::LazyLock<DashMap<uuid::Uuid, ScopeCacheEntry>> =
     std::sync::LazyLock::new(DashMap::new);
 
+/// Access Token 吊销黑名单（token_hash -> 过期时间戳）
+/// key = SHA-256(token) 前 16 字符，value = token 的 exp 时间戳
+/// 惰性清理：检查时自动移除过期条目
+static TOKEN_BLACKLIST: std::sync::LazyLock<DashMap<String, i64>> =
+    std::sync::LazyLock::new(DashMap::new);
+
 const SCOPE_CACHE_TTL: std::time::Duration = std::time::Duration::from_secs(60);
 
+/// 吊销单个 access token（直到其自然过期）
+pub fn revoke_access_token(token: &str, exp: i64) {
+    let hash = token_hash(token);
+    TOKEN_BLACKLIST.insert(hash, exp);
+}
+
+/// 吊销用户所有 token（清除权限缓存，强制下次请求重新认证）
+pub fn revoke_all_user_tokens(user_id: uuid::Uuid) {
+    USER_SCOPE_CACHE.remove(&user_id);
+}
+
+/// 检查 token 是否已被吊销
+fn is_token_revoked(token: &str, _exp: i64) -> bool {
+    let now = chrono::Utc::now().timestamp();
+    // 惰性清理过期条目
+    if TOKEN_BLACKLIST.len() > 10_000 {
+        TOKEN_BLACKLIST.retain(|_, exp_ts| *exp_ts > now);
+    }
+    let hash = token_hash(token);
+    match TOKEN_BLACKLIST.get(&hash) {
+        Some(exp_ts) => {
+            if *exp_ts <= now {
+                drop(exp_ts);
+                TOKEN_BLACKLIST.remove(&hash);
+                false
+            } else {
+                true
+            }
+        }
+        None => false,
+    }
+}
+
+fn token_hash(token: &str) -> String {
+    use std::hash::{Hash, Hasher};
+    let mut hasher = std::collections::hash_map::DefaultHasher::new();
+    token.hash(&mut hasher);
+    format!("{:016x}", hasher.finish())
+}
+
 /// JWT authentication middleware function.
 ///
 /// Extracts the `Bearer` token from the `Authorization` header, validates it
@@ -71,6 +117,11 @@ pub async fn jwt_auth_middleware_fn(
     let claims =
         TokenService::decode_token(&token, &jwt_secret).map_err(|_| AppError::Unauthorized)?;
 
+    // 检查 token 是否已被吊销（密码修改/管理员强制下线）
+    if is_token_revoked(&token, claims.exp) {
+        return Err(AppError::Unauthorized);
+    }
+
     // Verify this is an access token, not a refresh token
     if claims.token_type != "access" {
         return Err(AppError::Unauthorized);

crates/erp-auth/src/middleware/mod.rs

@@ -1,4 +1,4 @@
 pub mod jwt_auth;
 
 pub use erp_core::rbac::{require_any_permission, require_permission, require_role};
-pub use jwt_auth::jwt_auth_middleware_fn;
+pub use jwt_auth::{jwt_auth_middleware_fn, revoke_access_token, revoke_all_user_tokens};

crates/erp-auth/src/service/auth_service.rs

@@ -5,6 +5,7 @@ use uuid::Uuid;
 use crate::dto::{LoginResp, RoleResp, UserResp};
 use crate::entity::{role, user, user_credential, user_role};
 use crate::error::AuthError;
+use crate::middleware::revoke_all_user_tokens as revoke_access_token_cache;
 use erp_core::audit::AuditLog;
 use erp_core::audit_service;
 use erp_core::events::EventBus;
@@ -284,6 +285,9 @@ impl AuthService {
     ) -> AuthResult<()> {
         TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await?;
 
+        // 清除 access token 权限缓存，强制重新认证
+        revoke_access_token_cache(user_id);
+
         // 审计：登出
         audit_service::record(
             AuditLog::new(tenant_id, Some(user_id), "user.logout", "user")
@@ -351,6 +355,9 @@ impl AuthService {
         // 4. Revoke all refresh tokens — force re-login on all devices
         TokenService::revoke_all_user_tokens(user_id, tenant_id, db).await?;
 
+        // 清除 access token 权限缓存，密码修改后所有已签发的 access token 强制失效
+        revoke_access_token_cache(user_id);
+
         // 审计：密码修改
         audit_service::record(
             AuditLog::new(tenant_id, Some(user_id), "user.change_password", "user")

crates/erp-server/migration/src/lib.rs

@@ -175,6 +175,7 @@ mod m20260526_000165_ai_prompt_fix_analysis_type;
 mod m20260526_000166_create_ai_knowledge_bases;
 mod m20260526_000167_create_ai_knowledge_documents;
 mod m20260527_000168_ai_knowledge_v2_menu;
+mod m20260529_000169_supplement_rls_for_new_tables;
 
 pub struct Migrator;
 
@@ -357,6 +358,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260526_000166_create_ai_knowledge_bases::Migration),
             Box::new(m20260526_000167_create_ai_knowledge_documents::Migration),
             Box::new(m20260527_000168_ai_knowledge_v2_menu::Migration),
+            Box::new(m20260529_000169_supplement_rls_for_new_tables::Migration),
         ]
     }
 }

crates/erp-server/migration/src/m20260529_000169_supplement_rls_for_new_tables.rs

@@ -0,0 +1,65 @@
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        let conn = manager.get_connection();
+
+        // 为 m000088 之后创建的新表补充 RLS 策略。
+        // 幂等操作：仅影响尚未启用 RLS 或缺少策略的表。
+        conn.execute_unprepared(
+            r#"
+            DO $$
+            DECLARE
+                tbl TEXT;
+                policy_exists BOOLEAN;
+            BEGIN
+                FOR tbl IN
+                    SELECT c.table_name FROM information_schema.columns c
+                    JOIN information_schema.tables t
+                      ON c.table_name = t.table_name AND c.table_schema = t.table_schema
+                    WHERE c.column_name = 'tenant_id'
+                      AND c.table_schema = 'public'
+                      AND t.table_type = 'BASE TABLE'
+                    ORDER BY c.table_name
+                LOOP
+                    -- 启用 RLS（幂等）
+                    EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', tbl);
+
+                    -- 检查是否已有 tenant_isolation 策略
+                    SELECT EXISTS(
+                        SELECT 1 FROM pg_policies
+                        WHERE tablename = tbl
+                          AND policyname = 'tenant_isolation'
+                    ) INTO policy_exists;
+
+                    IF NOT policy_exists THEN
+                        EXECUTE format(
+                            'CREATE POLICY tenant_isolation ON %I USING (
+                                current_setting(''app.current_tenant_id'', true) != ''''
+                                AND tenant_id = current_setting(''app.current_tenant_id'', true)::uuid
+                            )',
+                            tbl
+                        );
+                        RAISE NOTICE 'Created RLS policy for table: %', tbl;
+                    END IF;
+                END LOOP;
+            END;
+            $$;
+            "#,
+        )
+        .await?;
+
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        // 回滚不需要移除 RLS，保持 m000088 的策略不变
+        // 此迁移补充的 RLS 策略在 down() 中保留，因为 m000088 已处理回滚
+        let _ = manager;
+        Ok(())
+    }
+}

crates/erp-server/src/handlers/openapi.rs

@@ -1,5 +1,4 @@
-use axum::response::Json;
-use serde_json::Value;
+use axum::response::{IntoResponse, Json, Response};
 use utoipa::OpenApi;
 
 use crate::{ApiDoc, AuthApiDoc, ConfigApiDoc, MessageApiDoc, WorkflowApiDoc};
@@ -7,12 +6,20 @@ use crate::{ApiDoc, AuthApiDoc, ConfigApiDoc, MessageApiDoc, WorkflowApiDoc};
 /// GET /docs/openapi.json
 ///
 /// 返回 OpenAPI 3.0 规范 JSON 文档，合并所有模块的路径和 schema。
-pub async fn openapi_spec() -> Json<Value> {
-    let mut spec = ApiDoc::openapi();
-    spec.merge(AuthApiDoc::openapi());
-    spec.merge(ConfigApiDoc::openapi());
-    spec.merge(WorkflowApiDoc::openapi());
-    spec.merge(MessageApiDoc::openapi());
+/// 仅在 debug 模式下可用，生产构建返回 404。
+pub async fn openapi_spec() -> Response {
+    #[cfg(debug_assertions)]
+    {
+        let mut spec = ApiDoc::openapi();
+        spec.merge(AuthApiDoc::openapi());
+        spec.merge(ConfigApiDoc::openapi());
+        spec.merge(WorkflowApiDoc::openapi());
+        spec.merge(MessageApiDoc::openapi());
+        Json(serde_json::to_value(spec).unwrap_or_default()).into_response()
+    }
 
-    Json(serde_json::to_value(spec).unwrap_or_default())
+    #[cfg(not(debug_assertions))]
+    {
+        (axum::http::StatusCode::NOT_FOUND, "Not Found").into_response()
+    }
 }

crates/erp-server/tests/integration/ai_prompt_tests.rs

@@ -83,7 +83,11 @@ async fn prompt_list_with_category_filter() {
     let tenant_id = uuid::Uuid::new_v4();
     let user_id = uuid::Uuid::new_v4();
 
-    for (name, cat) in [("p1", "analysis"), ("p2", "summary"), ("p3", "analysis")] {
+    for (name, cat, at) in [
+        ("p1", "analysis", "lab_report"),
+        ("p2", "summary", "trends"),
+        ("p3", "analysis", "report_summary"),
+    ] {
         svc.create_prompt(
             tenant_id,
             user_id,
@@ -92,16 +96,17 @@ async fn prompt_list_with_category_filter() {
             "usr".into(),
             serde_json::json!({}),
             cat.into(),
-            "lab_report".into(),
+            at.into(),
         )
         .await
         .expect("创建应成功");
     }
 
+    // list_prompts 现在按 analysis_type 过滤
     let (items, total) = svc
         .list_prompts(
             tenant_id,
-            Some("analysis".into()),
+            Some("lab_report".into()),
             &Pagination {
                 page: Some(1),
                 page_size: Some(10),
@@ -110,8 +115,9 @@ async fn prompt_list_with_category_filter() {
         .await
         .expect("查询应成功");
 
-    assert_eq!(total, 2);
-    assert_eq!(items.len(), 2);
+    assert_eq!(total, 1);
+    assert_eq!(items.len(), 1);
+    assert_eq!(items[0].name, "p1");
 }
 
 #[tokio::test]
@@ -150,9 +156,9 @@ async fn prompt_activate_switches_version() {
 
     assert_eq!(v2.version, 2);
 
-    // v1 仍然激活（update 继承 is_active）
+    // v1 仍然激活（update 继承 is_active），按 analysis_type 查找
     let active_before = svc
-        .get_active_prompt(tenant_id, "my_prompt")
+        .get_active_prompt(tenant_id, "lab_report")
         .await
         .expect("active");
     assert_eq!(active_before.system_prompt, "sys_v1");
@@ -163,7 +169,7 @@ async fn prompt_activate_switches_version() {
         .expect("activate");
 
     let active_after = svc
-        .get_active_prompt(tenant_id, "my_prompt")
+        .get_active_prompt(tenant_id, "lab_report")
         .await
         .expect("active");
     assert_eq!(active_after.id, v2.id);
@@ -218,7 +224,7 @@ async fn prompt_rollback_equals_activate() {
         .expect("rollback");
 
     let active = svc
-        .get_active_prompt(tenant_id, "rb_test")
+        .get_active_prompt(tenant_id, "lab_report")
         .await
         .expect("active");
     assert_eq!(active.id, v1.id);