diff --git a/backend/easycard-boot/src/main/java/com/easycard/boot/config/SecurityConfig.java b/backend/easycard-boot/src/main/java/com/easycard/boot/config/SecurityConfig.java
index 34459f0..a8dfb2c 100644
--- a/backend/easycard-boot/src/main/java/com/easycard/boot/config/SecurityConfig.java
+++ b/backend/easycard-boot/src/main/java/com/easycard/boot/config/SecurityConfig.java
@@ -5,6 +5,7 @@ import com.easycard.common.auth.JwtTokenService;
 import com.easycard.common.auth.LoginUser;
 import com.easycard.common.tenant.TenantContext;
 import com.easycard.common.tenant.TenantContextHolder;
+import com.easycard.module.tenant.web.MiniappTenantContextFilter;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -83,7 +84,8 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain securityFilterChain(
             HttpSecurity http,
-            JwtAuthenticationFilter jwtAuthenticationFilter
+            JwtAuthenticationFilter jwtAuthenticationFilter,
+            MiniappTenantContextFilter miniappTenantContextFilter
     ) throws Exception {
         http
                 .csrf(AbstractHttpConfigurer::disable)
@@ -108,6 +110,7 @@ public class SecurityConfig {
                     response.setContentType(MediaType.APPLICATION_JSON_VALUE);
                     response.getWriter().write("{\"code\":\"UNAUTHORIZED\",\"message\":\"未登录或登录已失效\",\"data\":null}");
                 }))
+                .addFilterBefore(miniappTenantContextFilter, UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                 .cors(Customizer.withDefaults());
         return http.build();
@@ -128,7 +131,10 @@ class JwtAuthenticationFilter extends OncePerRequestFilter {
     @Override
     protected boolean shouldNotFilter(HttpServletRequest request) {
         String uri = request.getRequestURI();
-        return uri.startsWith("/api/open/") || "/api/v1/auth/login".equals(uri);
+        if (uri == null) {
+            return false;
+        }
+        return uri.contains("/api/open/") || uri.endsWith("/api/v1/auth/login");
     }
 
     @Override
diff --git a/backend/easycard-common/src/main/java/com/easycard/common/web/GlobalExceptionHandler.java b/backend/easycard-common/src/main/java/com/easycard/common/web/GlobalExceptionHandler.java
index cdf3d4e..5bbe35b 100644
--- a/backend/easycard-common/src/main/java/com/easycard/common/web/GlobalExceptionHandler.java
+++ b/backend/easycard-common/src/main/java/com/easycard/common/web/GlobalExceptionHandler.java
@@ -32,9 +32,4 @@ public class GlobalExceptionHandler {
     public ApiResponse<Void> handleMaxUploadSizeExceededException(MaxUploadSizeExceededException exception) {
         return ApiResponse.fail("FILE_TOO_LARGE", "上传图片不能超过 5MB");
     }
-
-    @ExceptionHandler(Exception.class)
-    public ApiResponse<Void> handleException(Exception exception) {
-        return ApiResponse.fail("INTERNAL_SERVER_ERROR", exception.getMessage());
-    }
 }
diff --git a/backend/easycard-module-card/src/main/java/com/easycard/module/card/service/CardProfileService.java b/backend/easycard-module-card/src/main/java/com/easycard/module/card/service/CardProfileService.java
index f07e9af..c596267 100644
--- a/backend/easycard-module-card/src/main/java/com/easycard/module/card/service/CardProfileService.java
+++ b/backend/easycard-module-card/src/main/java/com/easycard/module/card/service/CardProfileService.java
@@ -343,18 +343,21 @@ public class CardProfileService {
         Map<Long, List<String>> specialtyMap = loadSpecialtyMap(cards.stream().map(CardProfileDO::getId).toList());
         return cards.stream()
                 .filter(card -> {
-                    String deptName = deptMap.containsKey(card.getDeptId()) ? deptMap.get(card.getDeptId()).getDeptName() : "";
+                    OrgDepartmentDO department = card.getDeptId() == null ? null : deptMap.get(card.getDeptId());
+                    String deptName = department == null ? "" : department.getDeptName();
                     List<String> specialties = specialtyMap.getOrDefault(card.getId(), List.of());
                     boolean keywordMatched = !StringUtils.hasText(keyword)
-                            || card.getCardName().contains(keyword)
-                            || deptName.contains(keyword)
-                            || specialties.stream().anyMatch(item -> item.contains(keyword));
+                            || containsText(card.getCardName(), keyword)
+                            || containsText(deptName, keyword)
+                            || specialties.stream().anyMatch(item -> containsText(item, keyword));
                     boolean officeMatched = !StringUtils.hasText(office) || office.equals(deptName);
-                    boolean areaMatched = !StringUtils.hasText(practiceArea) || specialties.stream().anyMatch(item -> item.equals(practiceArea));
+                    boolean areaMatched = !StringUtils.hasText(practiceArea)
+                            || specialties.stream().anyMatch(item -> equalsText(item, practiceArea));
                     return keywordMatched && officeMatched && areaMatched;
                 })
                 .map(card -> {
-                    String deptName = deptMap.containsKey(card.getDeptId()) ? deptMap.get(card.getDeptId()).getDeptName() : "";
+                    OrgDepartmentDO department = card.getDeptId() == null ? null : deptMap.get(card.getDeptId());
+                    String deptName = department == null ? "" : department.getDeptName();
                     return new OpenCardListItem(
                             card.getId(),
                             card.getCardName(),
@@ -496,6 +499,14 @@ public class CardProfileService {
         return AUTO_MANAGED_ROLE_CODE.equals(roleCode);
     }
 
+    private boolean containsText(String source, String keyword) {
+        return source != null && keyword != null && source.contains(keyword);
+    }
+
+    private boolean equalsText(String left, String right) {
+        return left != null && left.equals(right);
+    }
+
     private SysUserDO createHiddenLawyerUser(LoginUser loginUser, UpsertCardRequest request) {
         SysRoleDO role = getRequiredTenantRole(loginUser.tenantId(), AUTO_MANAGED_ROLE_CODE);
         SysUserDO user = new SysUserDO();
diff --git a/backend/easycard-module-tenant/src/main/java/com/easycard/module/tenant/web/MiniappTenantContextFilter.java b/backend/easycard-module-tenant/src/main/java/com/easycard/module/tenant/web/MiniappTenantContextFilter.java
index 4c12b38..31f97c0 100644
--- a/backend/easycard-module-tenant/src/main/java/com/easycard/module/tenant/web/MiniappTenantContextFilter.java
+++ b/backend/easycard-module-tenant/src/main/java/com/easycard/module/tenant/web/MiniappTenantContextFilter.java
@@ -33,7 +33,8 @@ public class MiniappTenantContextFilter extends OncePerRequestFilter {
 
     @Override
     protected boolean shouldNotFilter(HttpServletRequest request) {
-        return !request.getRequestURI().startsWith("/api/open/");
+        String uri = request.getRequestURI();
+        return uri == null || !uri.contains("/api/open/");
     }
 
     @Override
diff --git a/frontend_miniprogram/miniprogram/config/runtime.ts b/frontend_miniprogram/miniprogram/config/runtime.ts
index 46ee6d1..e9eadb3 100644
--- a/frontend_miniprogram/miniprogram/config/runtime.ts
+++ b/frontend_miniprogram/miniprogram/config/runtime.ts
@@ -9,8 +9,8 @@ export interface TenantRuntimeConfig {
 // develop 环境允许本地联调；trial/release 请替换为已备案且已配置到小程序后台“服务器域名”的 HTTPS 域名。
 export const tenantRuntimeConfig: TenantRuntimeConfig = {
   apiBaseUrlByEnv: {
-    develop: 'http://127.0.0.1:8112',
-    trial: 'https://trial-api.example.com',
-    release: 'https://api.example.com',
+    develop: 'https://easyflowtech.cn/card',
+    trial: 'https://easyflowtech.cn/card',
+    release: 'https://easyflowtech.cn/card',
   },
 };