feat: 增强风险规则生成引擎与预算中心页面

后端拆分风险规则生成为解释器、语义分析、本体对齐等子模块，
优化模板执行和流程图生成，完善员工种子数据和导入逻辑，增强
报销单权限策略和草稿持久化，前端新增预算中心视图和趋势图
组件，重构审计页面和风险规则测试对话框交互，完善文档中心
和报销创建页面细节，补充单元测试覆盖。

web/tests/accessControl.test.mjs

@@ -3,6 +3,8 @@ import test from 'node:test'
 
 import {
   canApproveLeaderExpenseClaims,
+  canAccessAppView,
+  canDeleteArchivedExpenseClaims,
   canManageExpenseClaims,
   canReturnExpenseClaims
 } from '../src/utils/accessControl.js'
@@ -28,6 +30,21 @@ test('finance can return and final approve, but only executives can manage delet
   assert.equal(canManageExpenseClaims({ roleCodes: ['executive'] }), true)
 })
 
+test('archived claims can only be deleted by admin users', () => {
+  assert.equal(canDeleteArchivedExpenseClaims({ roleCodes: ['executive'] }), false)
+  assert.equal(canDeleteArchivedExpenseClaims({ roleCodes: ['finance'] }), false)
+  assert.equal(canDeleteArchivedExpenseClaims({ isAdmin: true, roleCodes: ['manager'] }), true)
+})
+
+test('legacy reimbursement approval and archive centers are no longer accessible app views', () => {
+  const adminUser = { isAdmin: true, roleCodes: ['manager', 'finance'] }
+
+  assert.equal(canAccessAppView(adminUser, 'requests'), false)
+  assert.equal(canAccessAppView(adminUser, 'approval'), false)
+  assert.equal(canAccessAppView(adminUser, 'archive'), false)
+  assert.equal(canAccessAppView(adminUser, 'documents'), true)
+})
+
 test('finance approval inbox only processes finance-stage requests', () => {
   const financeUser = { roleCodes: ['finance'], name: '财务' }