v0.1.0: CRM/ERP 系统内测版本 - 安全加固完成

- Docker bridge 网络隔离（8000 端口封死）
- Gunicorn 4 Worker 多进程
- Alembic 数据库迁移基线
- 日志轮转 20m×3
- JWT 密钥 + DB 密码 + CORS 收紧
- 3-2-1 备份链路（NAS + R740-B 冷备）
- 连接池 pool_pre_ping + pool_recycle=3600

backend/app/api/deps.py

@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+"""
+API 公共依赖
+提供 JWT 令牌验证依赖，用于需要认证的路由。
+"""
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from app.core.security import decode_access_token
+
+# Bearer Token 提取器
+bearer_scheme = HTTPBearer(auto_error=True)
+
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(bearer_scheme),
+) -> dict:
+    """
+    从 Authorization: Bearer <token> 中解码 JWT，返回 payload。
+    用法: current_user: dict = Depends(get_current_user)
+    """
+    payload = decode_access_token(credentials.credentials)
+    if payload is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="令牌无效或已过期",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return payload
+
+
+async def require_admin(current_user: dict = Depends(get_current_user)) -> dict:
+    """仅允许 admin 角色访问，否则 403"""
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="权限不足，需要管理员角色",
+        )
+    return current_user