fix: policy always checked regardless of caller-provided floors

Redesign addVisitor four-phase flow:
- Phase1: ALWAYS query person detail (orgIds for policy lookup)
- Phase2: candidate = caller floors or org floorList
- Phase3: ALWAYS check policy; intersect candidate with allow
- Phase4: empty set validation
Fixes UC-02 bypass: policy was entirely skipped when caller
provided floorIds. Now policy always constrains.
Bump v2.0.19

maven-cw-elevator-application/releases/cw-elevator-application-V2.0.18.20260505/run.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# 与当前目录下 application.properties 同路径启动 V2（maven 构建）包。
+# 默认优先系统 JDK 8；若只有 JDK11+ 会自动附加 --add-opens。
+# ELEVATOR_USE_ENV_JAVA=1 ./run.sh 使用当前 JAVA_HOME（如 Conda）。
+# 发布包内脚本与 JAR、properties 均位于发布根目录（与 cw-elevator-application-V1.0.0.20211103 布局一致）。
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=../common-java.sh
+source "${SCRIPT_DIR}/../common-java.sh"
+cd "$SCRIPT_DIR"
+
+JAR=""
+for candidate in $(ls -1t cw-elevator-application-*.jar 2>/dev/null || true); do
+  if [[ "${candidate}" == *.jar.original ]]; then
+    continue
+  fi
+  JAR="${candidate}"
+  break
+done
+if [[ -z "${JAR}" || ! -f "${JAR}" ]]; then
+  echo "缺少 cw-elevator-application-*.jar，请在 deploy 目录执行: ./sync-jars.sh" >&2
+  exit 1
+fi
+
+_pick_java_home
+if [[ ! -x "${JAVA_HOME}/bin/java" ]]; then
+  echo "ERROR: 未找到可执行的 JDK。请安装 openjdk-8-jdk，或设定 JAVA_HOME / ELEVATOR_USE_ENV_JAVA=1 ./run.sh（使用 Conda 等当前环境）。" >&2
+  exit 1
+fi
+JAVA="${JAVA_HOME}/bin/java"
+OPEN_FLAGS=()
+while IFS= read -r line; do
+  [[ -n "$line" ]] && OPEN_FLAGS+=("$line")
+done < <(_jdk8_open_flags "$JAVA")
+
+# 强制走 Consul：不再注入本地 application*.properties / redis-override.properties。
+# shellcheck disable=SC2086
+exec "$JAVA" "${OPEN_FLAGS[@]}" ${ELEVATOR_JAVA_OPTS:-} -jar "$JAR"