fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

crates/zclaw-saas/src/auth/mod.rs

@@ -130,15 +130,39 @@ pub async fn auth_middleware(
             verify_api_token(&state, token, client_ip.clone()).await
         } else {
             // JWT 路径
-            let verify_result = jwt::verify_token(token, state.jwt_secret.expose_secret());
-            verify_result
-                .map(|claims| AuthContext {
-                    account_id: claims.sub,
-                    role: claims.role,
-                    permissions: claims.permissions,
-                    client_ip,
-                })
-                .map_err(|_| SaasError::Unauthorized)
+            match jwt::verify_token(token, state.jwt_secret.expose_secret()) {
+                Ok(claims) => {
+                    // H1: 验证 password_version — 密码变更后旧 token 失效
+                    let pwv_row: Option<(i32,)> = sqlx::query_as(
+                        "SELECT password_version FROM accounts WHERE id = $1"
+                    )
+                    .bind(&claims.sub)
+                    .fetch_optional(&state.db)
+                    .await
+                    .ok()
+                    .flatten();
+
+                    match pwv_row {
+                        Some((current_pwv,)) if (current_pwv as u32) == claims.pwv => {
+                            Ok(AuthContext {
+                                account_id: claims.sub,
+                                role: claims.role,
+                                permissions: claims.permissions,
+                                client_ip,
+                            })
+                        }
+                        _ => {
+                            tracing::warn!(
+                                account_id = %claims.sub,
+                                token_pwv = claims.pwv,
+                                "Token rejected: password_version mismatch or account not found"
+                            );
+                            Err(SaasError::Unauthorized)
+                        }
+                    }
+                }
+                Err(_) => Err(SaasError::Unauthorized),
+            }
         }
     } else {
         Err(SaasError::Unauthorized)