feat: add auto-login with token restore on app startup

App 启动时从 SecureStorage 读取已存储的 JWT，解析用户信息自动恢复登录状态，
无需每次重新输入密码。Token 过期则自动尝试 refresh，refresh 失败才跳转登录页。

- 新增 tryRestoreSession() 从 JWT payload 解码用户信息
- 新增 _isTokenExpired() 检查 token 是否过期（预留 60s 缓冲）
- refreshToken() 成功后恢复 AuthState + tenant 上下文
- 新增 /splash 启动页，尝试恢复后决定跳转 dashboard 或 login

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

it0_app/lib/core/router/app_router.dart

@@ -1,6 +1,7 @@
 import 'package:flutter/material.dart';
 import 'package:go_router/go_router.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
+import '../../features/auth/data/providers/auth_provider.dart';
 import '../../features/auth/presentation/pages/login_page.dart';
 import '../../features/dashboard/presentation/pages/dashboard_page.dart';
 import '../../features/chat/presentation/pages/chat_page.dart';
@@ -15,8 +16,12 @@ import '../../features/notifications/presentation/providers/notification_provide
 
 final routerProvider = Provider<GoRouter>((ref) {
   return GoRouter(
-    initialLocation: '/login',
+    initialLocation: '/splash',
     routes: [
+      GoRoute(
+        path: '/splash',
+        builder: (context, state) => const _SplashPage(),
+      ),
       GoRoute(
         path: '/login',
         builder: (context, state) => const LoginPage(),
@@ -107,3 +112,39 @@ class ScaffoldWithNav extends ConsumerWidget {
     );
   }
 }
+
+/// Splash page that tries to restore a previous session.
+class _SplashPage extends ConsumerStatefulWidget {
+  const _SplashPage();
+
+  @override
+  ConsumerState<_SplashPage> createState() => _SplashPageState();
+}
+
+class _SplashPageState extends ConsumerState<_SplashPage> {
+  @override
+  void initState() {
+    super.initState();
+    _tryRestore();
+  }
+
+  Future<void> _tryRestore() async {
+    final auth = ref.read(authStateProvider.notifier);
+    final restored = await auth.tryRestoreSession();
+    if (!mounted) return;
+    if (restored) {
+      context.go('/dashboard');
+    } else {
+      context.go('/login');
+    }
+  }
+
+  @override
+  Widget build(BuildContext context) {
+    return const Scaffold(
+      body: Center(
+        child: CircularProgressIndicator(),
+      ),
+    );
+  }
+}

it0_app/lib/features/auth/data/providers/auth_provider.dart

@@ -1,4 +1,5 @@
 import 'dart:async';
+import 'dart:convert';
 import 'package:dio/dio.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:flutter_secure_storage/flutter_secure_storage.dart';
@@ -59,6 +60,80 @@ class AuthNotifier extends StateNotifier<AuthState> {
 
   AuthNotifier(this._ref) : super(const AuthState());
 
+  /// Try to restore session from stored tokens on app startup.
+  /// Returns true if a valid session was restored.
+  Future<bool> tryRestoreSession() async {
+    final storage = _ref.read(secureStorageProvider);
+    final accessToken = await storage.read(key: _keyAccessToken);
+    if (accessToken == null) return false;
+
+    // Decode JWT payload to get user info
+    final user = _decodeUserFromJwt(accessToken);
+    if (user == null) {
+      // Token is malformed, try refresh
+      return refreshToken();
+    }
+
+    // Check if token is expired
+    if (_isTokenExpired(accessToken)) {
+      // Try to refresh
+      return refreshToken();
+    }
+
+    // Restore auth state
+    state = state.copyWith(
+      isAuthenticated: true,
+      user: user,
+    );
+
+    // Restore tenant context
+    if (user.tenantId != null) {
+      _ref.read(currentTenantIdProvider.notifier).state = user.tenantId;
+    }
+
+    // Reconnect notifications
+    _connectNotifications(user.tenantId);
+
+    return true;
+  }
+
+  /// Decode user info from JWT payload without verification.
+  AuthUser? _decodeUserFromJwt(String token) {
+    try {
+      final parts = token.split('.');
+      if (parts.length != 3) return null;
+      final payload = json.decode(
+        utf8.decode(base64Url.decode(base64Url.normalize(parts[1]))),
+      ) as Map<String, dynamic>;
+      return AuthUser(
+        id: payload['sub'] as String,
+        email: payload['email'] as String? ?? '',
+        name: payload['name'] as String? ?? payload['email'] as String? ?? '',
+        roles: (payload['roles'] as List?)?.cast<String>() ?? [],
+        tenantId: payload['tenantId'] as String?,
+      );
+    } catch (_) {
+      return null;
+    }
+  }
+
+  /// Check if JWT is expired (with 60s buffer).
+  bool _isTokenExpired(String token) {
+    try {
+      final parts = token.split('.');
+      if (parts.length != 3) return true;
+      final payload = json.decode(
+        utf8.decode(base64Url.decode(base64Url.normalize(parts[1]))),
+      ) as Map<String, dynamic>;
+      final exp = payload['exp'] as int?;
+      if (exp == null) return true;
+      final expiry = DateTime.fromMillisecondsSinceEpoch(exp * 1000);
+      return DateTime.now().isAfter(expiry.subtract(const Duration(seconds: 60)));
+    } catch (_) {
+      return true;
+    }
+  }
+
   Future<bool> login(String email, String password) async {
     state = state.copyWith(isLoading: true, error: null);
 
@@ -134,24 +209,37 @@ class AuthNotifier extends StateNotifier<AuthState> {
   Future<bool> refreshToken() async {
     try {
       final storage = _ref.read(secureStorageProvider);
-      final refreshToken = await storage.read(key: _keyRefreshToken);
+      final storedRefreshToken = await storage.read(key: _keyRefreshToken);
-      if (refreshToken == null) return false;
+      if (storedRefreshToken == null) return false;
 
       final config = _ref.read(appConfigProvider);
       final dio = Dio(BaseOptions(baseUrl: config.apiBaseUrl));
 
       final response = await dio.post(
         ApiEndpoints.refreshToken,
-        data: {'refreshToken': refreshToken},
+        data: {'refreshToken': storedRefreshToken},
       );
 
       final data = response.data as Map<String, dynamic>;
-      await storage.write(
+      final newAccessToken = data['accessToken'] as String;
-          key: _keyAccessToken, value: data['accessToken'] as String);
+      await storage.write(key: _keyAccessToken, value: newAccessToken);
       await storage.write(
           key: _keyRefreshToken, value: data['refreshToken'] as String);
 
       _ref.invalidate(accessTokenProvider);
+
+      // Restore user state from new token if not already authenticated
+      if (!state.isAuthenticated) {
+        final user = _decodeUserFromJwt(newAccessToken);
+        if (user != null) {
+          state = state.copyWith(isAuthenticated: true, user: user);
+          if (user.tenantId != null) {
+            _ref.read(currentTenantIdProvider.notifier).state = user.tenantId;
+          }
+          _connectNotifications(user.tenantId);
+        }
+      }
+
       return true;
     } catch (_) {
       await logout();