feat(merge): 4 个 worktree 合入 main(扫码+MFA+高危+P0)

合入内容:
- worktree-A (auth_qrcode): 13 测试 ✅ — Phase 1.1 后端扫码登录
- worktree-B (mfa): 21 测试 ✅ — Phase 2.1 MFA TOTP + User 字段
- worktree-C (high_risk_guard): 28 测试 ✅ — Phase 1.3 高危守卫
- worktree-D (p0-fixes): 16 测试 ✅ — P0/P1 合规(WS 签名+UUID+access_log)

合并方式: 各 worktree 提取 format-patch → 只 apply 新增文件 → 手动合并 router.py/dependencies.py 冲突

新文件 (16):
  backend/alembic/versions/022_qrcode_login.py
  backend/alembic/versions/023_mfa_fields.py
  backend/alembic/versions/025_messages_id_uuid.py
  backend/app/api/auth_qrcode.py
  backend/app/api/high_risk_routes.py
  backend/app/api/mfa.py
  backend/app/schemas/mfa.py
  backend/app/schemas/qrcode.py
  backend/app/services/high_risk_guard.py
  backend/app/services/mfa_service.py
  backend/app/services/qrcode_service.py
  backend/scripts/nginx-access-log-sanitize.sh
  backend/tests/test_auth_qrcode.py (13)
  backend/tests/test_high_risk_guard.py (28)
  backend/tests/test_mfa.py (21)
  backend/tests/test_messages_uuid.py
  backend/tests/test_ws_endpoints.py
  backend/tests/test_ws_push_to_employee.py (xfail 4)

修改 (4):
  backend/app/api/router.py — 注册 auth_qrcode/high_risk_routes/mfa 3 个 router
  backend/app/dependencies.py — 加 HIGH_RISK_OPERATIONS + require_high_risk_otp
  backend/app/models/agent.py — mfa_secret/mfa_enabled/mfa_bound_at/mfa_last_verified_at
  backend/tests/conftest.py — create_test_conversation 接 db_session

测试结果(新增 78 + xfail 4):
  tests/test_auth_qrcode.py      13 passed
  tests/test_high_risk_guard.py  28 passed
  tests/test_mfa.py              21 passed
  tests/test_messages_uuid.py     8 passed
  tests/test_ws_endpoints.py      8 passed
  tests/test_ws_push_to_employee.py 4 xfailed (端点路径不一致,pre-existing)

4 端 frontend build 全部通过(agent/portal/admin/h5)

后续 TODO (用户操作):
1. 撤销 Gitea token 5ad83d... via Web UI
2. 跑 alembic upgrade head(生产 PG,025 messages UUID)
3. 应用 nginx access_log 脱敏(进容器改 conf)
4. 部署 backend + 4 端 dist + nginx reload

Co-Authored-By: Claude <noreply@anthropic.com>

backend/app/schemas/qrcode.py

@@ -0,0 +1,127 @@
+# =============================================================================
+# 企微IT智能服务台 — 扫码登录 Pydantic Schema
+# =============================================================================
+# 说明：定义扫码登录的请求/响应数据结构
+# 涵盖 4 个端点的入参/出参:
+#   1. POST /api/auth_qrcode/create  — 创建扫码登录票据
+#   2. GET  /api/auth_qrcode/poll/{ticket} — 前端轮询扫码状态
+#   3. POST /api/auth_qrcode/scan    — 企微用户扫码后 OAuth code 回调
+#   4. POST /api/auth_qrcode/confirm — 当前已登录用户确认授权
+# =============================================================================
+
+from datetime import datetime
+from typing import List, Optional
+
+from pydantic import BaseModel, Field
+
+
+# --------------------------------------------------------------------------
+# POST /api/auth_qrcode/create — 创建扫码登录票据
+# --------------------------------------------------------------------------
+class QrcodeCreateResponse(BaseModel):
+    """扫码登录票据创建响应。
+
+    Attributes:
+        ticket: 票据 UUID,前端用此票据轮询状态
+        qrcode_url: 企微 OAuth2 授权 URL(前端渲染二维码)
+        expires_in: 票据有效期(秒),默认 120
+        expires_at: 票据过期时间(ISO 8601 字符串)
+    """
+
+    ticket: str = Field(..., description="票据 UUID")
+    qrcode_url: str = Field(..., description="企微 OAuth2 授权 URL")
+    expires_in: int = Field(120, description="有效期(秒)")
+    expires_at: datetime = Field(..., description="过期时间(ISO 8601)")
+
+
+# --------------------------------------------------------------------------
+# GET /api/auth_qrcode/poll/{ticket} — 轮询扫码状态
+# --------------------------------------------------------------------------
+class QrcodePollResponse(BaseModel):
+    """扫码登录票据轮询响应。
+
+    status 取值:
+      - waiting:   票据有效,等待扫码
+      - scanned:   已扫码,等待确认
+      - confirmed: 已确认登录成功,附带 token
+      - expired:   票据过期/不存在
+
+    Attributes:
+        status: 扫码状态
+        employee_id: 企微用户 ID(scanned/confirmed 时返回)
+        name: 企微用户姓名(scanned/confirmed 时返回)
+        token: 登录 Token(confirmed 时返回,前端存 localStorage)
+    """
+
+    status: str = Field(..., description="等待/已扫码/已确认/已过期")
+    employee_id: Optional[str] = Field(None, description="企微用户 ID")
+    name: Optional[str] = Field(None, description="企微用户姓名")
+    token: Optional[str] = Field(None, description="登录 Token")
+
+
+# --------------------------------------------------------------------------
+# POST /api/auth_qrcode/scan — 企微 OAuth code 回调
+# --------------------------------------------------------------------------
+class QrcodeScanRequest(BaseModel):
+    """扫码登录扫码请求体。
+
+    Attributes:
+        ticket: 扫码登录票据(UUID)
+        code: 企微 OAuth2 授权回调 code
+    """
+
+    ticket: str = Field(..., min_length=1, description="扫码登录票据")
+    code: str = Field(..., min_length=1, description="企微 OAuth2 授权 code")
+
+
+class QrcodeScanResponse(BaseModel):
+    """扫码登录扫码响应。
+
+    Attributes:
+        success: 是否成功
+        message: 提示消息
+    """
+
+    success: bool = Field(..., description="是否成功")
+    message: str = Field(..., description="提示消息")
+
+
+# --------------------------------------------------------------------------
+# POST /api/auth_qrcode/confirm — 当前已登录用户确认授权
+# --------------------------------------------------------------------------
+class QrcodeConfirmRequest(BaseModel):
+    """扫码登录确认请求体。
+
+    Attributes:
+        ticket: 扫码登录票据(UUID)
+        otp_code: OTP 动态码(管理员场景下可选,普通坐席可空)
+    """
+
+    ticket: str = Field(..., min_length=1, description="扫码登录票据")
+    otp_code: Optional[str] = Field(
+        None,
+        min_length=6,
+        max_length=6,
+        description="OTP 动态码(管理员可选,普通坐席留空)",
+    )
+
+
+class QrcodeConfirmResponse(BaseModel):
+    """扫码登录确认响应。
+
+    Attributes:
+        token: 登录 Token(scanned 用户换发的新 token)
+        employee_id: 企微用户 ID
+        name: 用户姓名
+        roles: 用户角色列表
+        require_otp: 是否需要 OTP 二次验证(预留,本任务不强制)
+    """
+
+    token: str = Field(..., description="登录 Token")
+    employee_id: str = Field(..., description="企微用户 ID")
+    name: str = Field(..., description="用户姓名")
+    roles: List[str] = Field(default_factory=list, description="用户角色列表")
+    require_otp: Optional[bool] = Field(
+        None,
+        description="是否需要 OTP 二次验证(预留字段,Phase 2.1 实现)",
+    )