fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

crates/zclaw-saas/src/account/handlers.rs

@@ -213,18 +213,40 @@ pub async fn dashboard_stats(
 
 // ============ Devices ============
 
+#[derive(serde::Deserialize)]
+pub(super) struct RegisterDeviceRequest {
+    #[serde(default)]
+    device_id: String,
+    #[serde(default)]
+    device_name: String,
+    #[serde(default)]
+    platform: String,
+    #[serde(default)]
+    app_version: String,
+}
+
 /// POST /api/v1/devices/register — 注册或更新设备
 pub async fn register_device(
     State(state): State<AppState>,
     Extension(ctx): Extension<AuthContext>,
-    Json(req): Json<serde_json::Value>,
+    Json(req): Json<RegisterDeviceRequest>,
 ) -> SaasResult<Json<serde_json::Value>> {
-    let device_id = req.get("device_id")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| SaasError::InvalidInput("缺少 device_id".into()))?;
-    let device_name = req.get("device_name").and_then(|v| v.as_str()).unwrap_or("Unknown");
-    let platform = req.get("platform").and_then(|v| v.as_str()).unwrap_or("unknown");
-    let app_version = req.get("app_version").and_then(|v| v.as_str()).unwrap_or("");
+    // 输入验证
+    if req.device_id.is_empty() || req.device_id.len() > 64 {
+        return Err(SaasError::InvalidInput("device_id 必须为 1-64 个字符".into()));
+    }
+    if req.device_name.len() > 128 {
+        return Err(SaasError::InvalidInput("device_name 最多 128 个字符".into()));
+    }
+    if req.platform.len() > 32 {
+        return Err(SaasError::InvalidInput("platform 最多 32 个字符".into()));
+    }
+    if req.app_version.len() > 32 {
+        return Err(SaasError::InvalidInput("app_version 最多 32 个字符".into()));
+    }
+
+    let device_name = if req.device_name.is_empty() { "Unknown" } else { &req.device_name };
+    let platform = if req.platform.is_empty() { "unknown" } else { &req.platform };
 
     let now = chrono::Utc::now().to_rfc3339();
     let device_uuid = uuid::Uuid::new_v4().to_string();
@@ -238,19 +260,19 @@ pub async fn register_device(
     )
     .bind(&device_uuid)
     .bind(&ctx.account_id)
-    .bind(device_id)
+    .bind(&req.device_id)
     .bind(device_name)
     .bind(platform)
-    .bind(app_version)
+    .bind(&req.app_version)
     .bind(&now)
     .execute(&state.db)
     .await?;
 
-    log_operation(&state.db, &ctx.account_id, "device.register", "device", device_id,
+    log_operation(&state.db, &ctx.account_id, "device.register", "device", &req.device_id,
         Some(serde_json::json!({"device_name": device_name, "platform": platform})),
         ctx.client_ip.as_deref()).await?;
 
-    Ok(Json(serde_json::json!({"ok": true, "device_id": device_id})))
+    Ok(Json(serde_json::json!({"ok": true, "device_id": req.device_id})))
 }
 
 /// POST /api/v1/devices/heartbeat — 设备心跳