feat(capability): 补齐全部后端 API 能力拦截
## 背景
审计发现 13 项用户能力中,部分后端 API 端点缺少 @RequireCapability
拦截,用户可绕过前端 UI 限制直接调用 API。本次逐服务补齐。
## Phase 1: 高优先级 — 操作端点
### auth-service
- POST /auth/password/change → @RequireCapability('PROFILE_EDIT')
修改登录密码需要 PROFILE_EDIT 能力
- POST /auth/trade-password/set → @RequireCapability('PROFILE_EDIT')
设置交易密码需要 PROFILE_EDIT 能力
- POST /auth/trade-password/change → @RequireCapability('PROFILE_EDIT')
修改交易密码需要 PROFILE_EDIT 能力
- POST /auth/trade-password/verify → @RequireCapability('TRADING')
验证交易密码是交易前置步骤,需要 TRADING 能力
### trading-service
- POST /c2c/orders/:orderNo/cancel → @RequireCapability('C2C')
C2C 取消订单是唯一缺失 C2C 能力检查的操作端点
## Phase 2: 低优先级 — 查看端点
### trading-service
- GET /trading/orders → VIEW_RECORDS (用户订单列表)
- GET /trading/trades → VIEW_RECORDS (成交记录)
- GET /transfers/history → VIEW_RECORDS (划转历史)
- GET /p2p/transfers/:accountSequence → VIEW_RECORDS (P2P转账历史)
- GET /c2c/orders/my → VIEW_RECORDS (我的C2C订单)
### contribution-service
- GET /contribution/accounts/:accountSequence/active → VIEW_ASSET
- GET /contribution/accounts/:accountSequence/planting-ledger → VIEW_RECORDS
## 能力覆盖总览 (补齐后)
| 能力 | 端点数 | 状态 |
|------|--------|------|
| LOGIN | 全局 | ✅ JwtAuthGuard 拦截 |
| TRADING | 3 | ✅ createOrder, cancelOrder, verifyTradePassword |
| C2C | 6 | ✅ create, take, cancel, confirmPayment, confirmReceived, uploadProof |
| TRANSFER_IN | 1 | ✅ transferIn |
| TRANSFER_OUT | 1 | ✅ transferOut |
| P2P_SEND | 1 | ✅ transfer |
| KYC | 1 | ✅ submitKyc |
| PROFILE_EDIT | 3 | ✅ changePassword, setTradePassword, changeTradePassword |
| VIEW_ASSET | 2 | ✅ getMyAsset, getActiveContribution |
| VIEW_TEAM | 2 | ✅ getMyTeamInfo, getDirectReferrals |
| VIEW_RECORDS | 6 | ✅ 各服务历史记录端点 |
| P2P_RECEIVE | 0 | 仅前端展示控制(无后端操作端点) |
| MINING_CLAIM | 0 | mining-service 需后续重构(@Public 类级别) |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hailin
f4c9535e12