| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| admin | ||
| ai | ||
| assistant | ||
| auth | ||
| clinical-gap | ||
| facts | ||
| mcp | ||
| patient | ||
| persona | ||
| plan | ||
| plan-aggregate | ||
| realtime-coach | ||
| sync | ||
| weixin-aibot |
JWT 是 host 也能解码的凭证,原先装展开后的 sourceUnits/clinicIds(PAC 内部 schema 词汇),
与"host 只发 org_scope"的契约不一致、泄漏内部表示。改为 JWT 只装 orgScope(与契约同词汇),
过滤维留到每请求展开:
- AccessTokenPayload / RefreshPayload:sourceUnits/clinicIds → orgScope;issueTokens 不再展开,直接签
- org-tree.ts(纯函数 expandScope:按 tenantId 选 host org 树展开)+ jvs-dw-preset.ts(树数据,与 mock 共用)
- tenant-scope.interceptor(REST)/ mcp-auth(MCP)每请求 expandScope → scope.{sourceUnits,clinicIds}
- 前端展不开 orgScope → 新增 GET /auth/session 返回展开后的 clinicIds/sourceUnits + role/permissions/dictionary;
auth-store 加 loadSession(登录/F5 后异步补进 user),组件读 user.clinicIds 不变
- weixin-aibot 自签 token 同步改 orgScope;契约文档 §2/§3 同步
验证:JWT 解码只含 orgScope;/auth/session 展开正确;REST /plans 诊所过滤生效(石琳仅本诊所);
集团级 orgScope=[grp]→clinicIds=[]/sourceUnits=[] 不限。两端 tsc 0 错。
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| admin | Loading commit data... | |
| ai | Loading commit data... | |
| assistant | Loading commit data... | |
| auth | Loading commit data... | |
| clinical-gap | Loading commit data... | |
| facts | Loading commit data... | |
| mcp | Loading commit data... | |
| patient | Loading commit data... | |
| persona | Loading commit data... | |
| plan | Loading commit data... | |
| plan-aggregate | Loading commit data... | |
| realtime-coach | Loading commit data... | |
| sync | Loading commit data... | |
| weixin-aibot | Loading commit data... |