fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed.

HIGH:
- H1: JWT password_version mechanism (pwv in Claims, middleware verification,
  auto-increment on password change)
- H2: Docker saas port bound to 127.0.0.1
- H3: TOTP encryption key decoupled from JWT secret (production bailout)
- H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src)

MEDIUM:
- M1: Persistent rate limiting (PostgreSQL rate_limit_events table)
- M2: Account lockout (5 failures -> 15min lock)
- M3: RFC 5322 email validation with regex
- M4: Device registration typed struct with length limits
- M5: Provider URL validation on create/update (SSRF prevention)
- M6: Legacy TOTP secret migration (fixed nonce -> random nonce)
- M7: Legacy frontend crypto migration (static salt -> random salt)
- M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only
- M10: Pipeline debug log sanitization (keys only, 100-char truncation)

Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware
skeleton, fixed RegisterDeviceRequest visibility.

crates/zclaw-saas/src/middleware.rs

@@ -74,17 +74,17 @@ pub async fn rate_limit_middleware(
     let window_start = now - std::time::Duration::from_secs(60);
 
     // DashMap 操作限定在作用域块内，确保 RefMut（持有 parking_lot 锁）在 await 前释放
-    let blocked = {
-        let mut entries = state.rate_limit_entries.entry(key).or_insert_with(Vec::new);
+    let (blocked, should_persist) = {
+        let mut entries = state.rate_limit_entries.entry(key.clone()).or_insert_with(Vec::new);
         entries.retain(|&time| time > window_start);
 
         if entries.len() >= rate_limit {
-            true
+            (true, false)
         } else {
             entries.push(now);
-            false
+            (false, true)
         }
-    }; // ← RefMut 在此处 drop，释放 parking_lot shard 锁
+    }; // <- RefMut 在此处 drop，释放 parking_lot shard 锁
 
     if blocked {
         return SaasError::RateLimited(format!(
@@ -93,6 +93,19 @@ pub async fn rate_limit_middleware(
         )).into_response();
     }
 
+    // Write-through to DB for persistence across restarts (fire-and-forget)
+    if should_persist {
+        let db = state.db.clone();
+        tokio::spawn(async move {
+            let _ = sqlx::query(
+                "INSERT INTO rate_limit_events (key, window_start, count) VALUES ($1, NOW(), 1)"
+            )
+            .bind(&key)
+            .execute(&db)
+            .await;
+        });
+    }
+
     next.run(req).await
 }
 
@@ -163,15 +176,15 @@ pub async fn public_rate_limit_middleware(
     let window_start = now - std::time::Duration::from_secs(window_secs);
 
     // DashMap 操作限定在作用域块内，确保 RefMut 在 await 前释放
-    let blocked = {
-        let mut entries = state.rate_limit_entries.entry(key).or_insert_with(Vec::new);
+    let (blocked, should_persist) = {
+        let mut entries = state.rate_limit_entries.entry(key.clone()).or_insert_with(Vec::new);
         entries.retain(|&time| time > window_start);
 
         if entries.len() >= limit {
-            true
+            (true, false)
         } else {
             entries.push(now);
-            false
+            (false, true)
         }
     };
 
@@ -179,6 +192,19 @@ pub async fn public_rate_limit_middleware(
         return SaasError::RateLimited(error_msg.into()).into_response();
     }
 
+    // Write-through to DB for persistence across restarts (fire-and-forget)
+    if should_persist {
+        let db = state.db.clone();
+        tokio::spawn(async move {
+            let _ = sqlx::query(
+                "INSERT INTO rate_limit_events (key, window_start, count) VALUES ($1, NOW(), 1)"
+            )
+            .bind(&key)
+            .execute(&db)
+            .await;
+        });
+    }
+
     next.run(req).await
 }