feat: 增强SaaS后端功能与安全性

refactor: 重构数据库连接使用PostgreSQL替代SQLite
feat(auth): 增加JWT验证的audience和issuer检查
feat(crypto): 添加AES-256-GCM字段加密支持
feat(api): 集成utoipa实现OpenAPI文档
fix(admin): 修复配置项表单验证逻辑
style: 统一代码格式与类型定义
docs: 更新技术栈文档说明PostgreSQL

start-all.ps1

@@ -1,5 +1,5 @@
 # ZCLAW Full Stack Start Script
-# Starts: ChromeDriver (optional) -> Tauri Desktop
+# Starts: SaaS Backend (optional) -> ChromeDriver (optional) -> Tauri Desktop
 #
 # NOTE: ZCLAW now uses internal Kernel (zclaw-kernel) for all operations.
 # No external ZCLAW runtime is required.
@@ -9,7 +9,8 @@ param(
     [switch]$Dev,
     [switch]$Help,
     [switch]$Stop,
-    [switch]$DesktopOnly
+    [switch]$DesktopOnly,
+    [switch]$NoSaas
 )
 
 $ErrorActionPreference = "Continue"
@@ -30,8 +31,9 @@ ZCLAW Full Stack Start Script
 Usage: .\start-all.ps1 [options]
 
 Options:
-    -DesktopOnly    Start desktop only (skip ChromeDriver)
+    -DesktopOnly    Start desktop only (skip ChromeDriver + SaaS)
     -NoBrowser      Skip ChromeDriver startup
+    -NoSaas         Skip SaaS backend startup
     -Dev            Development mode (hot reload)
     -Stop           Stop all services
     -Help           Show this help
@@ -43,7 +45,7 @@ Note:
 Quick Commands:
     pnpm start           # Start all services
     pnpm start:dev       # Start in dev mode
-    pnpm start:desktop   # Start desktop only (no browser)
+    pnpm start:desktop   # Start desktop only (no browser, no SaaS)
 
 "@
     exit 0
@@ -57,6 +59,17 @@ if ($Stop) {
     Get-Process -Name "chromedriver" -ErrorAction SilentlyContinue | Stop-Process -Force
     ok "ChromeDriver stopped"
 
+    # Stop SaaS backend
+    Get-Process -Name "zclaw-saas" -ErrorAction SilentlyContinue | Stop-Process -Force
+    $port8080 = netstat -ano | Select-String ":8080.*LISTENING"
+    if ($port8080) {
+        $pid8080 = ($port8080 -split '\s+')[-1]
+        if ($pid8080 -match '^\d+$') {
+            Stop-Process -Id $pid8080 -Force -ErrorAction SilentlyContinue
+            ok "Stopped SaaS backend on port 8080 (PID: $pid8080)"
+        }
+    }
+
     # Stop any process on port 4200 (legacy, may still be in use)
     $port4200 = netstat -ano | Select-String ":4200.*LISTENING"
     if ($port4200) {
@@ -108,12 +121,56 @@ function Cleanup {
 trap { Cleanup; break }
 Register-EngineEvent -SourceIdentifier PowerShell.Exiting -Action { Cleanup } | Out-Null
 
-# Skip ChromeDriver if DesktopOnly
+# Skip ChromeDriver and SaaS if DesktopOnly
 if ($DesktopOnly) {
     $NoBrowser = $true
+    $NoSaas = $true
 }
 
-# 1. ChromeDriver (optional - for Browser Hand automation)
+# 1. SaaS Backend (for cloud features: account, relay, config sync)
+if (-not $NoSaas) {
+    info "Checking SaaS backend..."
+
+    # Check if port 8080 is already in use
+    $port8080 = netstat -ano | Select-String ":8080.*LISTENING"
+    if ($port8080) {
+        $pid8080 = ($port8080 -split '\s+')[-1]
+        if ($pid8080 -match '^\d+$') {
+            ok "SaaS backend already running on port 8080 (PID: $pid8080)"
+        }
+    } else {
+        # Check if zclaw-saas binary exists
+        $saasBin = "$ScriptDir\target\debug\zclaw-saas.exe"
+        $saasBinRelease = "$ScriptDir\target\release\zclaw-saas.exe"
+        $saasExe = if (Test-Path $saasBinRelease) { $saasBinRelease } elseif (Test-Path $saasBin) { $saasBin } else { $null }
+
+        if ($saasExe) {
+            ok "SaaS backend binary found: $saasExe"
+            info "Starting SaaS backend on port 8080..."
+
+            $env:ZCLAW_SAAS_DEV = "true"
+            $proc = Start-Process -FilePath $saasExe -PassThru -WindowStyle Minimized
+            $Jobs += $proc
+            Start-Sleep -Seconds 3
+
+            if ($proc.HasExited) {
+                err "SaaS backend exited unexpectedly. Run manually: cd $ScriptDir && ZCLAW_SAAS_DEV=true cargo run --bin zclaw-saas"
+            } else {
+                ok "SaaS backend started (PID: $($proc.Id))"
+            }
+        } else {
+            warn "SaaS backend binary not found. Building..."
+            info "Run: cd $ScriptDir && cargo build --bin zclaw-saas"
+            warn "SaaS cloud features will be unavailable. Start SaaS manually after build."
+        }
+    }
+} else {
+    info "Skipping SaaS backend"
+}
+
+Write-Host ""
+
+# 2. ChromeDriver (optional - for Browser Hand automation)
 if (-not $NoBrowser) {
     info "Checking ChromeDriver..."
 
@@ -146,7 +203,7 @@ if (-not $NoBrowser) {
 
 Write-Host ""
 
-# 2. Start Tauri Desktop
+# 3. Start Tauri Desktop
 info "Starting ZCLAW Desktop..."
 Set-Location "$ScriptDir/desktop"