/** * IAM 治理 API 封装:权限委托 + Access Review * 规则参考 docs/standards/09-iam-security.md §5.3.14 / §5.3.15 * * 注意:apiClient 的响应拦截器已解掉 { success, data } 包装, * 直接返回 inner data。因此调用 apiClient. 返回 Promise * 而非 Promise>,但 TypeScript 类型推断不知道这一点, * 这里用 unknown 中转 + 显式断言提高可读性。 */ import apiClient from '@/lib/api-client'; export interface PermissionDelegation { id: string; fromUserId: string; toUserId: string; resource: string; validFrom: string; validTo: string; reason: string; organizationId?: string; createdById: string; createdAt: string; revokedAt?: string | null; } export interface CreateDelegationDto { toUserId: string; resource?: string; validFrom: string; validTo: string; reason: string; organizationId?: string; } export interface PendingUserRoleReview { id: string; userId: string; roleId: string; organizationId?: string | null; createdAt: string; lastReviewedAt?: string | null; lastReviewedBy?: string | null; reviewComment?: string | null; user?: { id: string; username: string; displayName: string }; role?: { id: string; code: string; name: string }; } // ===== 委托 ===== export async function listMyDelegations(): Promise { return apiClient.get('/iam/delegations/mine') as unknown as Promise; } export async function createDelegation(dto: CreateDelegationDto): Promise { return apiClient.post('/iam/delegations', dto) as unknown as Promise; } export async function revokeDelegation(id: string): Promise { await apiClient.delete(`/iam/delegations/${id}`); } // ===== Access Review ===== export async function listPendingReviews(days = 90): Promise { return apiClient.get('/iam/access-review/pending', { params: { days }, }) as unknown as Promise; } export async function approveReview( userRoleId: string, comment?: string, ): Promise { return apiClient.post(`/iam/access-review/${userRoleId}/approve`, { comment, }) as unknown as Promise; } export async function revokeReview( userRoleId: string, comment?: string, ): Promise { await apiClient.post(`/iam/access-review/${userRoleId}/revoke`, { comment }); }