feat: 后端用户认证和权限过滤

- 新增 auth 模块：jumpToken 代理交换、用户信息获取、JWT 签发
- 三级权限：full(所有权限/数智中心/BI-Leader)、department(BI-Leader-Dep)、personal
- 添加 managerId 到车辆数据模型，支持个人级别按 userId 精确过滤
- auth 中间件保护所有 /api/* 端点（跳过 /api/health 和 /api/auth/*）
- 所有路由集成 filterByPermission 权限过滤

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/routes/mileage/monitoring.ts

@@ -1,5 +1,7 @@
 import { Hono } from 'hono';
 import { getCache, queryDateMileage, buildDateFilters } from './cache.js';
+import { filterByPermission } from '../../auth/permissions.js';
+import type { AuthUser } from '../../auth/types.js';
 import type { CachedVehicle, MonitoringFilters, MonitoringResponse } from './types.js';
 
 const app = new Hono();
@@ -86,6 +88,13 @@ app.get('/', async (c) => {
     filters = cache.filters;
   }
 
+  // 权限过滤
+  const user = (c as any).get('user') as AuthUser | undefined;
+  if (user) {
+    allVehicles = filterByPermission(allVehicles, user);
+    filters = buildDateFilters(allVehicles); // 重算筛选选项以匹配权限范围
+  }
+
   const filtered = applyFilters(allVehicles, filterParams);
 
   const stats = {