feat(security): Auth Token HttpOnly Cookie — XSS 安全加固

后端:
- axum-extra 启用 cookie feature
- login/register/refresh 设置 HttpOnly + Secure + SameSite=Strict cookies
- 新增 POST /api/v1/auth/logout 清除 cookies
- auth_middleware 支持 cookie 提取路径（fallback from header）
- CORS: 添加 allow_credentials(true) + COOKIE header

前端 (admin-v2):
- authStore: token 仅存内存，不再写 localStorage（account 保留）
- request.ts: 添加 withCredentials: true 发送 cookies
- 修复 refresh token rotation bug（之前不更新 stored refreshToken）
- logout 调用后端清除 cookie 端点

向后兼容: API 客户端仍可用 Authorization: Bearer header
Desktop (Ed25519 设备认证) 完全不受影响

crates/zclaw-saas/src/main.rs

@@ -1,6 +1,7 @@
 //! ZCLAW SaaS 服务入口
 
 use axum::extract::State;
+use tokio_util::sync::CancellationToken;
 use tower_http::timeout::TimeoutLayer;
 use tracing::info;
 use zclaw_saas::{config::SaaSConfig, db::init_db, state::AppState};
@@ -35,7 +36,9 @@ async fn main() -> anyhow::Result<()> {
     dispatcher.register(UpdateLastUsedWorker);
     info!("Worker dispatcher initialized (5 workers registered)");
 
-    let state = AppState::new(db.clone(), config.clone(), dispatcher)?;
+    // 优雅停机令牌 — 取消后所有 SSE 流和长连接立即终止
+    let shutdown_token = CancellationToken::new();
+    let state = AppState::new(db.clone(), config.clone(), dispatcher, shutdown_token.clone())?;
 
     // 启动声明式 Scheduler（从 TOML 配置读取定时任务）
     let scheduler_config = &config.scheduler;
@@ -57,16 +60,55 @@ async fn main() -> anyhow::Result<()> {
 
     let app = build_router(state).await;
 
-    let listener = tokio::net::TcpListener::bind(format!("{}:{}", config.server.host, config.server.port))
-        .await?;
+    // 配置 TCP keepalive + 短 SO_LINGER，防止 CLOSE_WAIT 累积
+    let listener = create_listener(&config.server.host, config.server.port)?;
     info!("SaaS server listening on {}:{}", config.server.host, config.server.port);
 
+    // 优雅停机: Ctrl+C → 取消 CancellationToken → SSE 流终止 → 连接排空
+    let token = shutdown_token.clone();
     axum::serve(listener, app.into_make_service_with_connect_info::<std::net::SocketAddr>())
-        .with_graceful_shutdown(shutdown_signal())
+        .with_graceful_shutdown(async move {
+            tokio::signal::ctrl_c()
+                .await
+                .expect("Failed to install Ctrl+C handler");
+            info!("Received shutdown signal, cancelling SSE streams and draining connections...");
+            token.cancel();
+        })
         .await?;
     Ok(())
 }
 
+/// 创建带 TCP keepalive 和短 SO_LINGER 的 TcpListener，防止 CLOSE_WAIT 累积
+fn create_listener(host: &str, port: u16) -> anyhow::Result<tokio::net::TcpListener> {
+    let addr = format!("{}:{}", host, port);
+    let socket = socket2::Socket::new(
+        socket2::Domain::for_address(addr.parse::<std::net::SocketAddr>()?),
+        socket2::Type::STREAM,
+        Some(socket2::Protocol::TCP),
+    )?;
+
+    // SO_REUSEADDR: 允许快速重启时复用 TIME_WAIT 端口
+    socket.set_reuse_address(true)?;
+
+    // TCP keepalive: 60s 空闲后每 10s 探测，连续 3 次无响应则关闭
+    // 防止已断开但对端未发 FIN 的连接永远留在 CLOSE_WAIT
+    let keepalive = socket2::SockRef::from(&socket);
+    keepalive.set_tcp_keepalive(
+        &socket2::TcpKeepalive::new()
+            .with_time(std::time::Duration::from_secs(60))
+            .with_interval(std::time::Duration::from_secs(10)),
+    )?;
+
+    // 短 SO_LINGER (1s): 关闭时最多等 1 秒即 RST，避免大量 TIME_WAIT
+    socket.set_linger(Some(std::time::Duration::from_secs(1)))?;
+
+    socket.bind(&addr.parse::<std::net::SocketAddr>()?.into())?;
+    socket.listen(1024)?;
+    socket.set_nonblocking(true)?;
+
+    Ok(tokio::net::TcpListener::from_std(socket.into())?)
+}
+
 async fn health_handler(
     State(state): State<AppState>,
 ) -> (axum::http::StatusCode, axum::Json<serde_json::Value> ) {
@@ -133,6 +175,7 @@ async fn build_router(state: AppState) -> axum::Router {
                     .allow_origin(Any)
                     .allow_methods(Any)
                     .allow_headers(Any)
+                    .allow_credentials(true)
             } else {
                 tracing::error!("生产环境必须配置 server.cors_origins，不能使用 allow_origin(Any)");
                 panic!("生产环境必须配置 server.cors_origins 白名单。开发环境可设置 ZCLAW_SAAS_DEV=true 绕过。");
@@ -154,8 +197,10 @@ async fn build_router(state: AppState) -> axum::Router {
                 .allow_headers([
                     axum::http::header::AUTHORIZATION,
                     axum::http::header::CONTENT_TYPE,
+                    axum::http::header::COOKIE,
                     axum::http::HeaderName::from_static("x-request-id"),
                 ])
+                .allow_credentials(true)
         }
     };
 
@@ -205,11 +250,3 @@ async fn build_router(state: AppState) -> axum::Router {
         .layer(cors)
         .with_state(state)
 }
-
-/// 监听 Ctrl+C 信号，触发 graceful shutdown
-async fn shutdown_signal() {
-    tokio::signal::ctrl_c()
-        .await
-        .expect("Failed to install Ctrl+C handler");
-    info!("Received shutdown signal, draining connections...");
-}