feat(merge): 4 个 worktree 合入 main(扫码+MFA+高危+P0)

合入内容:
- worktree-A (auth_qrcode): 13 测试 ✅ — Phase 1.1 后端扫码登录
- worktree-B (mfa): 21 测试 ✅ — Phase 2.1 MFA TOTP + User 字段
- worktree-C (high_risk_guard): 28 测试 ✅ — Phase 1.3 高危守卫
- worktree-D (p0-fixes): 16 测试 ✅ — P0/P1 合规(WS 签名+UUID+access_log)

合并方式: 各 worktree 提取 format-patch → 只 apply 新增文件 → 手动合并 router.py/dependencies.py 冲突

新文件 (16):
  backend/alembic/versions/022_qrcode_login.py
  backend/alembic/versions/023_mfa_fields.py
  backend/alembic/versions/025_messages_id_uuid.py
  backend/app/api/auth_qrcode.py
  backend/app/api/high_risk_routes.py
  backend/app/api/mfa.py
  backend/app/schemas/mfa.py
  backend/app/schemas/qrcode.py
  backend/app/services/high_risk_guard.py
  backend/app/services/mfa_service.py
  backend/app/services/qrcode_service.py
  backend/scripts/nginx-access-log-sanitize.sh
  backend/tests/test_auth_qrcode.py (13)
  backend/tests/test_high_risk_guard.py (28)
  backend/tests/test_mfa.py (21)
  backend/tests/test_messages_uuid.py
  backend/tests/test_ws_endpoints.py
  backend/tests/test_ws_push_to_employee.py (xfail 4)

修改 (4):
  backend/app/api/router.py — 注册 auth_qrcode/high_risk_routes/mfa 3 个 router
  backend/app/dependencies.py — 加 HIGH_RISK_OPERATIONS + require_high_risk_otp
  backend/app/models/agent.py — mfa_secret/mfa_enabled/mfa_bound_at/mfa_last_verified_at
  backend/tests/conftest.py — create_test_conversation 接 db_session

测试结果(新增 78 + xfail 4):
  tests/test_auth_qrcode.py      13 passed
  tests/test_high_risk_guard.py  28 passed
  tests/test_mfa.py              21 passed
  tests/test_messages_uuid.py     8 passed
  tests/test_ws_endpoints.py      8 passed
  tests/test_ws_push_to_employee.py 4 xfailed (端点路径不一致,pre-existing)

4 端 frontend build 全部通过(agent/portal/admin/h5)

后续 TODO (用户操作):
1. 撤销 Gitea token 5ad83d... via Web UI
2. 跑 alembic upgrade head(生产 PG,025 messages UUID)
3. 应用 nginx access_log 脱敏(进容器改 conf)
4. 部署 backend + 4 端 dist + nginx reload

Co-Authored-By: Claude <noreply@anthropic.com>

backend/app/api/router.py

@@ -178,3 +178,32 @@ api_router.include_router(approval_router, tags=["审批流程"])
 # 企微 JS-SDK 签名 API (v0.5.4 应急页身份检测用)
 # GET /api/wecom/jsapi-config?url=xxx — 返回 corp_id/agent_id/timestamp/nonce_str/signature
 api_router.include_router(wecom_jsapi_router, tags=["企微JS-SDK"])
+
+# 扫码登录 API (Phase 1.1 task #14)
+# POST /api/auth_qrcode/create              — 创建扫码登录票据
+# GET  /api/auth_qrcode/poll/{ticket}       — 前端轮询扫码状态
+# POST /api/auth_qrcode/scan                — 企微 OAuth2 回调
+# POST /api/auth_qrcode/confirm             — 已登录坐席确认授权
+from app.api.auth_qrcode import router as auth_qrcode_router
+api_router.include_router(auth_qrcode_router, tags=["扫码登录"])
+
+# 高危操作演示 API (Phase 1.3 task #19)
+# POST /api/admin/high-risk/demo/{category} — 5 类高危操作演示端点
+# GET  /api/admin/high-risk/whitelist        — 获取高危操作白名单
+# GET  /api/admin/high-risk/check            — 检查当前管理员 OTP 状态
+from app.api.high_risk_routes import router as high_risk_routes_router
+api_router.include_router(high_risk_routes_router, tags=["高危操作"])
+
+from app.api.mfa import router as mfa_router, admin_router as mfa_admin_router  # Phase 2.1 task #17
+
+# MFA 二次认证 API (Phase 2.1 task #17)
+# GET  /api/mfa/status          — 查询绑定状态(路由守卫用)
+# POST /api/mfa/bind/start      — 生成 secret + 二维码
+# POST /api/mfa/bind/confirm    — 输入 OTP 完成绑定
+# POST /api/mfa/verify          — 输入 OTP 通过验证(写 Redis 30 分钟)
+# POST /api/mfa/disable         — 用户主动关闭 MFA
+api_router.include_router(mfa_router, tags=["MFA二次认证"])
+
+# MFA 管理员重置 API (Phase 2.1 task #17,丢手机兜底)
+# POST /api/admin/mfa/reset/{employee_id} — 管理员重置指定员工 MFA
+api_router.include_router(mfa_admin_router, tags=["MFA管理(管理员)"])