| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| admin.ts | ||
| agent.ts | ||
| auth.ts | ||
| canonical.ts | ||
| common.ts | ||
| fact.ts | ||
| index.ts | ||
| patient.ts | ||
| persona.ts | ||
| plan.ts | ||
| reason-signals.ts | ||
| sync.ts | ||
| wrap.ts |
JWT 是 host 也能解码的凭证,原先装展开后的 sourceUnits/clinicIds(PAC 内部 schema 词汇),
与"host 只发 org_scope"的契约不一致、泄漏内部表示。改为 JWT 只装 orgScope(与契约同词汇),
过滤维留到每请求展开:
- AccessTokenPayload / RefreshPayload:sourceUnits/clinicIds → orgScope;issueTokens 不再展开,直接签
- org-tree.ts(纯函数 expandScope:按 tenantId 选 host org 树展开)+ jvs-dw-preset.ts(树数据,与 mock 共用)
- tenant-scope.interceptor(REST)/ mcp-auth(MCP)每请求 expandScope → scope.{sourceUnits,clinicIds}
- 前端展不开 orgScope → 新增 GET /auth/session 返回展开后的 clinicIds/sourceUnits + role/permissions/dictionary;
auth-store 加 loadSession(登录/F5 后异步补进 user),组件读 user.clinicIds 不变
- weixin-aibot 自签 token 同步改 orgScope;契约文档 §2/§3 同步
验证:JWT 解码只含 orgScope;/auth/session 展开正确;REST /plans 诊所过滤生效(石琳仅本诊所);
集团级 orgScope=[grp]→clinicIds=[]/sourceUnits=[] 不限。两端 tsc 0 错。
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| admin.ts | Loading commit data... | |
| agent.ts | Loading commit data... | |
| auth.ts | Loading commit data... | |
| canonical.ts | Loading commit data... | |
| common.ts | Loading commit data... | |
| fact.ts | Loading commit data... | |
| index.ts | Loading commit data... | |
| patient.ts | Loading commit data... | |
| persona.ts | Loading commit data... | |
| plan.ts | Loading commit data... | |
| reason-signals.ts | Loading commit data... | |
| sync.ts | Loading commit data... | |
| wrap.ts | Loading commit data... |