fix(backend): Wave 1 Day 1 三个 P0 D Bug 修复

- W1-T3 修 4 处 fdw_etl.* 必坏残留 → app.* (P0-5 致命 1)
  · tenant_users.py L431/L456-457: v_dim_assistant + v_dim_staff(_ex)
  · tenant_excel.py L394/L411: v_dim_assistant + v_dim_staff
  · tenant_clues.py L119: v_dim_member
  · 修复后 tenant-admin 用户审核 / Excel 上传 / 维客线索恢复正常

- W1-T4 JWT aud sign 端写入 (P0-5 致命 2 最小止血)
  · jwt.py 全部 token 创建/解码函数加 audience 参数
  · auth.py admin 端加 audience="admin"
  · xcx_auth.py miniapp 端加 audience="miniapp" (8 处调用)
  · 18 router 切强制 aud 校验留 Wave 2

- W1-T5 DBViewer 白名单 + 黑名单双保险 (P0-8)
  · 白名单: SELECT/WITH/EXPLAIN/SHOW 开头
  · 黑名单: 17 关键词覆盖全 DML/DDL/DCL
  · 注释剥离避免误伤;15/15 单测 PASS

参考: docs/audit/changes/2026-05-04__wave1_day1_d_bug_triple_fix.md

apps/backend/app/routers/xcx_auth.py

@@ -200,14 +200,14 @@ async def wx_login(body: WxLoginRequest):
                 default_site_id = _get_user_default_site(conn, user_id)
                 if default_site_id is not None:
                     roles = _get_user_roles_at_site(conn, user_id, default_site_id)
-                    tokens = create_token_pair(user_id, default_site_id, roles=roles)
+                    tokens = create_token_pair(user_id, default_site_id, roles=roles, audience="miniapp")
                     login_role = roles[0] if roles else None
                 else:
                     # approved 但无 site 绑定（异常边界），签发受限令牌
-                    tokens = create_limited_token_pair(user_id)
+                    tokens = create_limited_token_pair(user_id, audience="miniapp")
             else:
                 # new / pending / rejected → 受限令牌
-                tokens = create_limited_token_pair(user_id)
+                tokens = create_limited_token_pair(user_id, audience="miniapp")
 
     finally:
         conn.close()
@@ -483,7 +483,7 @@ async def switch_site(
     finally:
         conn.close()
 
-    tokens = create_token_pair(user.user_id, body.site_id, roles=roles)
+    tokens = create_token_pair(user.user_id, body.site_id, roles=roles, audience="miniapp")
 
     return WxLoginResponse(
         access_token=tokens["access_token"],
@@ -549,13 +549,13 @@ async def refresh_token(body: RefreshTokenRequest):
 
                 if site_id is not None:
                     roles = _get_user_roles_at_site(conn, user_id, site_id)
-                    tokens = create_token_pair(user_id, site_id, roles=roles)
+                    tokens = create_token_pair(user_id, site_id, roles=roles, audience="miniapp")
                 else:
                     # approved 但无 site 绑定（异常边界）
-                    tokens = create_limited_token_pair(user_id)
+                    tokens = create_limited_token_pair(user_id, audience="miniapp")
             else:
                 # new / pending / rejected / disabled → 受限令牌
-                tokens = create_limited_token_pair(user_id)
+                tokens = create_limited_token_pair(user_id, audience="miniapp")
 
     finally:
         conn.close()
@@ -629,12 +629,12 @@ if config.WX_DEV_MODE:
                     default_site_id = _get_user_default_site(conn, user_id)
                     if default_site_id is not None:
                         roles = _get_user_roles_at_site(conn, user_id, default_site_id)
-                        tokens = create_token_pair(user_id, default_site_id, roles=roles)
+                        tokens = create_token_pair(user_id, default_site_id, roles=roles, audience="miniapp")
                         dev_login_role = roles[0] if roles else None
                     else:
-                        tokens = create_limited_token_pair(user_id)
+                        tokens = create_limited_token_pair(user_id, audience="miniapp")
                 else:
-                    tokens = create_limited_token_pair(user_id)
+                    tokens = create_limited_token_pair(user_id, audience="miniapp")
 
         finally:
             conn.close()
@@ -807,7 +807,7 @@ if config.WX_DEV_MODE:
         finally:
             conn.close()
 
-        tokens = create_token_pair(user.user_id, user.site_id, roles=roles)
+        tokens = create_token_pair(user.user_id, user.site_id, roles=roles, audience="miniapp")
         return WxLoginResponse(
             access_token=tokens["access_token"],
             refresh_token=tokens["refresh_token"],
@@ -850,11 +850,11 @@ if config.WX_DEV_MODE:
                     default_site_id = _get_user_default_site(conn, user.user_id)
                     if default_site_id is not None:
                         roles = _get_user_roles_at_site(conn, user.user_id, default_site_id)
-                        tokens = create_token_pair(user.user_id, default_site_id, roles=roles)
+                        tokens = create_token_pair(user.user_id, default_site_id, roles=roles, audience="miniapp")
                     else:
-                        tokens = create_limited_token_pair(user.user_id)
+                        tokens = create_limited_token_pair(user.user_id, audience="miniapp")
                 else:
-                    tokens = create_limited_token_pair(user.user_id)
+                    tokens = create_limited_token_pair(user.user_id, audience="miniapp")
         finally:
             conn.close()