fix: E2E 测试发现的后端 BUG 修复 — 限流拆分 + 积分查询 + 错误码修正

- 拆分 refresh token 限流为独立中间件（30次/分 vs 登录5次/分）
- 修复积分 recent-activity 500：JOIN 通过 points_account 中间表
- 修复患者/医生不存在返回 400 → 正确的 404 NotFound

crates/erp-auth/src/module.rs

@@ -29,7 +29,6 @@ impl AuthModule {
     {
         Router::new()
             .route("/auth/login", axum::routing::post(auth_handler::login))
-            .route("/auth/refresh", axum::routing::post(auth_handler::refresh))
             .route(
                 "/auth/wechat/login",
                 axum::routing::post(wechat_handler::wechat_login),
@@ -40,6 +39,15 @@ impl AuthModule {
             )
     }
 
+    /// Refresh token routes — public but with higher rate limit (30/min vs 5/min for login).
+    pub fn refresh_routes<S>() -> Router<S>
+    where
+        crate::auth_state::AuthState: axum::extract::FromRef<S>,
+        S: Clone + Send + Sync + 'static,
+    {
+        Router::new().route("/auth/refresh", axum::routing::post(auth_handler::refresh))
+    }
+
     /// Build protected (authenticated) routes for the auth module.
     ///
     /// These routes require a valid JWT token, verified by the middleware layer.