fix(ci,web): API 路径检查脚本归一化 + DEV 模式路由覆盖率校验

- check-api-paths.sh: 归一化前端硬编码 ID、扩展后端路由提取范围
  (users/roles/departments 等基础模块)、排除插件动态路由假阳性
  结果: 46 个不匹配 → 0 个，CI PASS
- routeConfig.ts: 新增 validateRouteCoverage() 开发模式校验函数
- App.tsx: 挂载时调用路由覆盖率校验，未声明权限的路由会 console.warn

apps/web/src/App.tsx

@@ -8,7 +8,7 @@ import { ErrorBoundary } from './components/ErrorBoundary';
 import { useAuthStore } from './stores/auth';
 import { useAppStore } from './stores/app';
 import type { ThemeName } from './stores/app';
-import { ROUTE_PERMISSIONS, FROZEN_ROUTES } from './routeConfig';
+import { ROUTE_PERMISSIONS, FROZEN_ROUTES, validateRouteCoverage } from './routeConfig';
 
 const Home = lazy(() => import('./pages/Home'));
 const Users = lazy(() => import('./pages/Users'));
@@ -244,6 +244,29 @@ export default function App() {
     document.documentElement.setAttribute('data-theme', themeName);
   }, [themeName]);
 
+  // DEV mode: validate all routes have permission declarations
+  useEffect(() => {
+    validateRouteCoverage([
+      "/users", "/roles", "/organizations", "/workflow", "/messages", "/settings",
+      "/plugins/admin", "/plugins/market",
+      "/health/statistics", "/health/patients", "/health/tags", "/health/doctors",
+      "/health/appointments", "/health/schedules", "/health/follow-up-tasks",
+      "/health/follow-up-records", "/health/consultations",
+      "/health/points-rules", "/health/points-products", "/health/points-orders",
+      "/health/offline-events", "/health/ai-prompts", "/health/ai-analysis",
+      "/health/ai-usage", "/health/alerts", "/health/alert-dashboard",
+      "/health/alert-rules", "/health/devices", "/health/realtime-monitor",
+      "/health/oauth-clients", "/health/dialysis", "/health/action-inbox",
+      "/health/follow-up-templates", "/health/care-plans", "/health/shifts",
+      "/health/medications", "/health/ble-gateways",
+      "/health/critical-value-thresholds", "/health/diagnoses",
+      "/health/family-proxy", "/health/consents",
+      "/health/articles", "/health/article-categories", "/health/article-tags",
+      "/health/banners", "/health/media-library",
+      "/health/medication-records",
+    ]);
+  }, []);
+
   const isDark = themeName === 'dark';
   const antTheme = useMemo(() => themeConfigs[themeName] ?? themeConfigs.blue, [themeName]);
 

apps/web/src/routeConfig.ts

@@ -175,6 +175,14 @@ const ENTRIES: RoutePermissionEntry[] = [
     path: "/health/article-tags",
     permissions: ["health.articles.list", "health.articles.manage"],
   },
+  {
+    path: "/health/banners",
+    permissions: ["health.banners.list", "health.banners.manage"],
+  },
+  {
+    path: "/health/media-library",
+    permissions: ["health.media.list", "health.media.manage"],
+  },
 
   // ===== 健康管理 — 其他 =====
   {
@@ -187,7 +195,7 @@ const ENTRIES: RoutePermissionEntry[] = [
   },
   {
     path: "/health/medication-records",
-    permissions: ["health.medication-records.manage"],
+    permissions: ["health.medication-records.list", "health.medication-records.manage"],
   },
 
   // ===== 冻结路由 =====
@@ -219,6 +227,11 @@ const ENTRIES: RoutePermissionEntry[] = [
     permissions: ["health.dialysis.list", "health.dialysis.manage"],
     frozen: true,
   },
+  {
+    path: "/health/dialysis-prescriptions",
+    permissions: ["health.dialysis-prescription.list", "health.dialysis-prescription.manage"],
+    frozen: true,
+  },
   {
     path: "/health/schedules",
     permissions: ["health.appointment.list", "health.appointment.manage"],
@@ -244,3 +257,26 @@ if (import.meta.env.DEV) {
     console.error("[routeConfig] 检测到重复路径:", dupes);
   }
 }
+
+/**
+ * DEV 模式路由覆盖率校验。
+ * 在 App.tsx 挂载后调用，检查所有实际路由是否都有权限声明。
+ * 忽略带参数的子路由（如 /health/patients/:id），它们通过前缀匹配继承权限。
+ */
+export function validateRouteCoverage(registeredPaths: string[]): void {
+  if (!import.meta.env.DEV) return;
+
+  const allConfigPaths = ENTRIES.map((e) => e.path);
+  const uncovered = registeredPaths.filter((p) => {
+    if (p === "/" || p === "/login" || p === "/*") return false;
+    if (p.includes(":")) return false; // 子路由通过前缀继承
+    return !allConfigPaths.includes(p);
+  });
+
+  if (uncovered.length > 0) {
+    console.warn(
+      "[routeConfig] 以下路由未在 routeConfig.ts 中声明权限，将被 PrivateRoute 默认 403 拦截：",
+      uncovered,
+    );
+  }
+}