feat(plugin): P2-P4 插件平台演进 — 通用服务 + 质量保障 + 市场

P2 平台通用服务:
- manifest 扩展: settings/numbering/templates/trigger_events/importable/exportable 声明
- 插件配置 UI: PluginSettingsForm 自动表单 + 后端校验 + 详情抽屉 Settings 标签页
- 编号规则: Host API numbering-generate + PostgreSQL 序列 + manifest 绑定
- 触发事件: data_service create/update/delete 自动发布 DomainEvent
- WIT 接口: 新增 numbering-generate/setting-get Host API

P3 质量保障:
- plugin_validator.rs: 安全扫描(WASM大小/实体数量/字段校验) + 复杂度评分
- 运行时监控指标: RuntimeMetrics (错误率/响应时间/Fuel/内存)
- 性能基准: BenchmarkResult 阈值定义
- 上传时自动安全扫描 + /validate API 端点

P4 插件市场:
- 数据库迁移: plugin_market_entries + plugin_market_reviews 表
- 前端 PluginMarket 页面: 分类浏览/搜索/详情/评分
- 路由注册: /plugins/market

测试: 269 全通过 (71 erp-plugin + 41 auth + 57 config + 34 core + 50 message + 16 workflow)

crates/erp-plugin/src/handler/plugin_handler.rs

@@ -456,3 +456,32 @@ where
 
     Ok(Json(ApiResponse::ok(result)))
 }
+
+#[utoipa::path(
+    get,
+    path = "/api/v1/admin/plugins/{id}/validate",
+    params(("id" = Uuid, Path, description = "插件 ID")),
+    responses((status = 200, description = "安全验证报告")),
+    security(("bearer_auth" = [])),
+    tag = "插件管理"
+)]
+/// GET /api/v1/admin/plugins/{id}/validate — 获取插件安全验证报告
+pub async fn validate_plugin<S>(
+    State(state): State<PluginState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<crate::plugin_validator::ValidationReport>>, AppError>
+where
+    PluginState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "plugin.admin")?;
+
+    let model = crate::service::find_plugin_model(id, ctx.tenant_id, &state.db).await?;
+    let manifest: crate::manifest::PluginManifest =
+        serde_json::from_value(model.manifest_json.clone())
+            .map_err(|e| AppError::Validation(format!("manifest 解析失败: {}", e)))?;
+
+    let report = crate::plugin_validator::validate_plugin_security(&manifest, model.wasm_binary.len())?;
+    Ok(Json(ApiResponse::ok(report)))
+}