朱子纯 / test3

- EMPLOYEE_NOT_FOUND 值恢复为规格文档规定的 40001

- getPermissionGroups 增加 brandId 多租户过滤
- EMPLOYEE_NOT_FOUND = 40401 常量替换魔法数字 40001
- 权限组绑定改为批量 insert(Collection) 消除 N+1

- UserPrincipal record + JwtAuthenticationFilter 注入用户上下文
- SecurityConfig 补充 authenticationEntryPoint 返回 401
- UserService/UserServiceImpl: 创建用户、获取员工列表、获取权限组
- UserController: POST /users、GET /users/staffs、GET /users/permission-groups
- UserServiceTest (6 cases) + UserControllerTest (5 cases) 全部通过

- Copy V2 migration to backend/src/main/resources/db/migration/ for Flyway classpath
- Update review report to round 2 approve
- Mark REQ-USR-004 done in docs/08

1. V2 migration: uk_usr_user_username 改为 (sUsername, sBrandsId) 复合唯一
2. AuthServiceImpl: UpdateWrapper 换 LambdaUpdateWrapper（一致性）
3. AuthServiceImpl.refresh(): 追加 tLockUntil 检查，防绕过锁定
4. AuthServiceTest: 新增 refresh_lockedUser_throws40103
5. pom.xml: Lombok 1.18.36 适配 Java 25，surefire ByteBuddy 实验模式
6. .mvn/jvm.config + scripts/test.sh: Java 21 编译兼容性修复

- SecurityConfig: STATELESS, permitAll /api/auth/**, JWT filter
- JwtAuthenticationFilter: Bearer token → SecurityContext
- AuthController: POST /login, POST /refresh, GET /brands
- BrandVO: @JsonProperty to fix Jackson serialization of sNo/sName
- AuthControllerTest: 4/4 PASS; all 22 backend tests GREEN

- LoginReqDTO/RefreshTokenReqDTO/LoginVO/BrandVO DTO/VO
- AuthService interface: login/refresh/getBrands
- AuthServiceImpl: multi-tenant brand query, BCrypt, disabled/lock check,
  fail count (5x → lock 30min), success reset; refresh token validate + re-issue;
  getBrands ORDER BY sName
- UpdateWrapper (string columns) avoids LambdaWrapper unit test issue
- BeanConfig: @Bean BCryptPasswordEncoder
- AuthServiceTest: 10/10 PASS (7 login + 3 refresh/brands)

- BrandEntity/UsrUserEntity: @TableName + @TableField (map-underscore-to-camel-case=false)
- BrandMapper/UsrUserMapper: extends BaseMapper
- MyBatisPlusConfig: @MapperScan + PaginationInnerInterceptor
- BrandMapperTest: insert/query/delete against test DB PASS

- JwtProperties: @ConfigurationProperties("jwt") with secret/expiry
- JwtUtil: generateAccessToken/generateRefreshToken/parseAccessToken/parseRefreshToken
- parseRefreshToken validates type=refresh claim, throws 40103 if mismatch
- JwtUtilTest: 3 tests PASS

- Result<T>: ok()/fail() with code/message/data/timestamp
- BizException: carries int code
- AuthErrorCode: 40100/40101/40102/40103 constants
- GlobalExceptionHandler: BizException, validation, fallback 99000

- pom.xml: Spring Boot 3.3.5, MyBatis-Plus 3.5.7, JJWT 0.12.6, Flyway 10.x
- application.yml: DB/JWT from env vars, Flyway baseline-on-migrate=true
- V1 migration copied to classpath:db/migration
- ApplicationContextTest: @SpringBootTest context loads + Flyway baseline OK