# @Sensitive 标记缺口分析报告

- 时间: 2026-05-08T07:15:36.044Z
- @Auditable 端点总数: 284
- 已标 @Sensitive: 172
- 已标 @Financial: 3
- **启发式判定应敏感但未标: 38**
- 启发式未命中但已标: 108

## 启发式规则

命中以下任一即建议标 `@Sensitive`:

- `verb=DELETE`：删除一律视为敏感
- `auth/credential`：路径或方法名匹配 `/password|reset|token|secret|credential|api[-_]?key/i`
- `bulk/batch`：路径或方法名匹配 `/\b(bulk|batch|mass|all)\b/i`
- `permission/role`：路径或方法名匹配 `/\brole\b|\bpermission\b|data[-_]?scope|\bgrant\b|\brevoke\b|\baccess\b/i`
- `lifecycle`：路径或方法名匹配 `/\block\b|unlock|disable|enable|suspend|activate|archive|restore|deactivate/i`
- `approval/state`：路径或方法名匹配 `/\bapprove\b|\breject\b|\bpublish\b|\btransfer\b|\bmerge\b|\bemergency\b|\bbypass\b|impersonate|sudo/i`

## 缺口（按模块）

### ai-assistant/prompt  (1)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/ai-assistant/prompts/:id/activate` | PromptController.activate | lifecycle |

### core/messaging  (1)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/notifications/batch` | NotificationController.sendBatch | bulk/batch |

### engines/form  (4)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/forms/:formIdentifier/archive` | FormsController.archive | lifecycle |
| POST | `/forms/:formIdentifier/unarchive` | FormsController.unarchive | lifecycle |
| DELETE | `/forms/:formIdentifier/aliases/:alias` | FormsController.removeAlias | verb=DELETE |
| POST | `/forms/_batch/archive` | FormsController.batchArchive | lifecycle |

### flow-diagram  (2)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| DELETE | `/flow-diagrams/:id` | FlowDiagramController.delete | verb=DELETE |
| POST | `/flow-diagrams/:id/restore-previous` | FlowDiagramController.restorePrevious | lifecycle |

### organization/ai-tools  (4)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/ai-tools/grants/batch` | AIToolsController.batchCreateRoleGrants | bulk/batch |
| DELETE | `/ai-tools/grants/:id` | AIToolsController.deleteRoleGrant | verb=DELETE |
| DELETE | `/ai-tools/user-grants/:id` | AIToolsController.deleteUserGrant | verb=DELETE |
| PUT | `/ai-tools/grants/role/:roleId` | AIToolsController.setRoleGrants | permission/role |

### organization/departments  (3)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/departments/batch` | DepartmentsController.batchCreate | bulk/batch |
| POST | `/departments/:id/members/batch` | DepartmentsController.addMembers | bulk/batch |
| DELETE | `/departments/:id/members/:userId` | DepartmentsController.removeMember | verb=DELETE |

### organization/iam-governance  (11)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| POST | `/iam/access-review/:id/approve` | AccessReviewController.approve | permission/role, approval/state |
| POST | `/iam/access-review/:id/revoke` | AccessReviewController.revoke | permission/role |
| POST | `/iam/data-scopes` | DataScopesController.create | permission/role |
| PATCH | `/iam/data-scopes/:id` | DataScopesController.update | permission/role |
| DELETE | `/iam/data-scopes/:id` | DataScopesController.remove | verb=DELETE, permission/role |
| DELETE | `/iam/delegations/:id` | DelegationsController.revoke | verb=DELETE, permission/role |
| POST | `/iam/emergency-bypass` | EmergencyBypassController.enable | lifecycle, approval/state |
| DELETE | `/iam/emergency-bypass/:endpoint` | EmergencyBypassController.disable | verb=DELETE, lifecycle, approval/state |
| DELETE | `/iam/field-permissions/:id` | FieldPermissionsController.remove | verb=DELETE |
| POST | `/iam/role-data-scopes` | RoleDataScopesController.bind | permission/role |
| DELETE | `/iam/role-data-scopes/:id` | RoleDataScopesController.unbind | verb=DELETE, permission/role |

### organization/organizations  (2)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| DELETE | `/organizations/:id` | OrganizationsController.remove | verb=DELETE |
| DELETE | `/organizations/:id/regions/:regionId` | OrganizationsController.removeRegion | verb=DELETE |

### organization/positions  (1)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| DELETE | `/positions/:id` | PositionsController.remove | verb=DELETE |

### robot-manager  (9)

| Verb | Path | Controller.method | 命中规则 |
|---|---|---|---|
| DELETE | `/robot-manager/admin/config/:key` | RobotAdminController.deleteConfig | verb=DELETE |
| DELETE | `/robot-manager/admin/models/:id` | RobotAdminController.deleteModel | verb=DELETE |
| DELETE | `/robot-manager/admin/skus/:id` | RobotAdminController.deleteSku | verb=DELETE |
| DELETE | `/robot-manager/admin/suppliers/:id` | RobotAdminController.deleteSupplier | verb=DELETE |
| DELETE | `/robot-manager/admin/customers/:id` | RobotAdminController.deleteCustomer | verb=DELETE |
| DELETE | `/robot-manager/admin/locations/:id` | RobotAdminController.deleteLocation | verb=DELETE |
| DELETE | `/robot-manager/admin/field-defs/:id` | RobotAdminController.deleteFieldDef | verb=DELETE |
| DELETE | `/robot-manager/:id` | RobotUnitController.softDelete | verb=DELETE |
| POST | `/robot-manager/bulk-status-change` | RobotUnitController.bulkStatusChange | bulk/batch |

## 已标但启发式未命中（信息性，通常不需处理）

| 模块 | Verb | Path | Controller.method |
|---|---|---|---|
| tickets | POST | `/tickets/admin/categories` | TicketAdminController.createCategory |
| tickets | PATCH | `/tickets/admin/categories/:id` | TicketAdminController.updateCategory |
| tickets | POST | `/tickets/admin/groups` | TicketAdminController.createGroup |
| tickets | PATCH | `/tickets/admin/groups/:id` | TicketAdminController.updateGroup |
| tickets | POST | `/tickets/admin/groups/:id/members` | TicketAdminController.addGroupMembers |
| tickets | POST | `/tickets` | TicketsController.create |
| tickets | POST | `/tickets/:id/assign` | TicketsController.assign |
| tickets | POST | `/tickets/:id/watch` | TicketsController.watch |
| parts | POST | `/alerts/acknowledge` | AlertsController.acknowledge |
| parts | POST | `/alerts/resolve` | AlertsController.resolve |
| parts | POST | `/alerts/auto-resolve` | AlertsController.autoResolveFixedAlerts |
| parts | POST | `/parts/columns/configs` | ColumnConfigController.create |
| parts | PUT | `/parts/columns/configs/:id` | ColumnConfigController.update |
| parts | POST | `/parts/columns/configs/:id/set-default` | ColumnConfigController.setDefault |
| parts | POST | `/parts/columns/configs/:id/copy` | ColumnConfigController.copy |
| parts | POST | `/parts/excel/import` | ExcelController.importExcel |
| parts | POST | `/parts/excel/validate` | ExcelController.validateExcel |
| parts | POST | `/inventory/check-in` | InventoryController.checkIn |
| parts | POST | `/inventory/check-out` | InventoryController.checkOut |
| parts | POST | `/inventory/adjust` | InventoryController.adjustInventory |
| parts | POST | `/labels/generate` | LabelsController.generateLabel |
| parts | POST | `/labels/print` | LabelsController.printLabel |
| parts | POST | `/parts` | PartsController.create |
| parts | PUT | `/parts/:partIdentifier` | PartsController.update |
| parts/controllers | POST | `/parts/groups` | PartGroupsController.createGroup |
| parts/controllers | PUT | `/parts/groups/:id` | PartGroupsController.updateGroup |
| parts/controllers | POST | `/parts/groups/:groupId/fields` | PartGroupsController.addCustomFieldToGroup |
| parts/controllers | PUT | `/parts/groups/fields/:fieldId` | PartGroupsController.updateCustomField |
| parts/controllers | POST | `/parts/groups/:groupId/parts` | PartGroupsController.assignPartsToGroup |
| parts/controllers | POST | `/stations` | StationController.create |
| parts/controllers | PUT | `/stations/:id` | StationController.update |
| parts/controllers | POST | `/storage-locations` | StorageLocationController.create |
| parts/controllers | PUT | `/storage-locations/:id` | StorageLocationController.update |
| parts/controllers | POST | `/warehouses` | WarehouseController.create |
| parts/controllers | PUT | `/warehouses/:id` | WarehouseController.update |
| organization/workflow-roles | POST | `/workflow-roles` | WorkflowRolesController.create |
| organization/workflow-roles | PUT | `/workflow-roles/:id` | WorkflowRolesController.update |
| organization/workflow-roles | POST | `/workflow-roles/:id/users` | WorkflowRolesController.assignUsers |
| organization/workflow-roles | POST | `/workflow-roles/resolve` | WorkflowRolesController.resolve |
| organization/users | POST | `/users/import-work-city/commit` | UsersController.commitImportWorkCity |
| organization/users | POST | `/users/:id/roles` | UsersController.assignRoles |
| organization/users | POST | `/users/:id/roles/add` | UsersController.addRoles |
| organization/users | POST | `/users/:id/region-roles` | UsersController.assignRegionRoles |
| organization/users | POST | `/users/:id/region-roles/add` | UsersController.addRegionRole |
| organization/users | POST | `/users/:id/region-roles/remove` | UsersController.removeRegionRole |
| organization/users | POST | `/users/:id/terminate` | UsersController.terminate |
| organization/users | PATCH | `/users/:id/status` | UsersController.updateStatus |
| organization/user-departments | POST | `/users/:userId/departments` | UserDepartmentsController.addUserDepartment |
| organization/user-departments | PATCH | `/users/:userId/departments/:departmentId` | UserDepartmentsController.updateUserDepartment |
| organization/user-departments | PUT | `/users/:userId/departments/:departmentId/primary` | UserDepartmentsController.setPrimaryDepartment |
| organization/sync | POST | `/organization/sync` | SyncController.syncFromEntraId |
| organization/roles | POST | `/roles` | RolesController.create |
| organization/roles | PUT | `/roles/:id` | RolesController.update |
| organization/roles | PUT | `/roles/:id/permissions` | RolesController.assignPermissions |
| organization/regions | POST | `/regions` | RegionsController.create |
| organization/regions | PATCH | `/regions/:id` | RegionsController.update |
| organization/regions | PUT | `/regions/:id/default-organization` | RegionsController.setDefaultOrganization |
| organization/departments | PUT | `/departments/:id/head` | DepartmentsController.setHead |
| organization/auth | POST | `/auth/register` | AuthController.register |
| ops-center/m365-dormant | POST | `/ops-center/m365-dormant/sync` | M365DormantController.triggerSync |
| feedback | PATCH | `/feedbacks/:id/status` | FeedbackController.updateStatus |
| feedback | PATCH | `/feedbacks/:id` | FeedbackController.update |
| ai-assistant/knowledge | POST | `/ai-assistant/knowledge-fixes` | KnowledgeController.create |
| ai-assistant/knowledge | PUT | `/ai-assistant/knowledge-fixes/:id/review` | KnowledgeController.review |
| ai-assistant/config | PUT | `/ai-assistant/config/:key` | AIConfigController.update |
| engines/form | POST | `/form-management/definitions` | FormManagementController.create |
| engines/form | PATCH | `/form-management/definitions/:id` | FormManagementController.update |
| engines/form | PUT | `/form-management/definitions/:id/design` | FormManagementController.saveDesign |
| engines/form | PUT | `/form-management/definitions/:id/form-design` | FormManagementController.saveFormDesign |
| engines/form | PUT | `/form-management/definitions/:id/process-design` | FormManagementController.saveProcessDesign |
| engines/form | POST | `/form-management/instances` | InstanceController.create |
| engines/form | PATCH | `/form-management/instances/:id` | InstanceController.updateInstance |
| engines/form | POST | `/form-management/instances/:id/submit` | InstanceController.submitInstance |
| engines/form | POST | `/form-management/instances/:id/withdraw` | InstanceController.withdrawInstance |
| engines/form | POST | `/form-management/definitions/:id/submit-review` | SnapshotController.submitReview |
| engines/form | POST | `/form-management/snapshots/:snapshotId/review` | SnapshotController.review |
| engines/form | POST | `/form-management/snapshots/:snapshotId/rollback` | SnapshotController.rollback |
| engines/form | POST | `/form-management/webhooks` | WebhookController.create |
| engines/form | PATCH | `/form-management/webhooks/:id` | WebhookController.update |
| engines/form | POST | `/form-management/webhooks/:id/test` | WebhookController.sendTestEvent |
| engines/form | POST | `/form-instances` | FormInstancesController.create |
| engines/form | PATCH | `/form-instances/:instanceIdentifier` | FormInstancesController.update |
| engines/form | POST | `/form-instances/:instanceIdentifier/submit` | FormInstancesController.submit |
| engines/form | POST | `/form-instances/:instanceIdentifier/cancel` | FormInstancesController.cancel |
| engines/form | POST | `/form-instances/:instanceIdentifier/withdraw` | FormInstancesController.withdrawForm |
| engines/form | POST | `/form-templates` | FormTemplatesController.create |
| engines/form | PATCH | `/form-templates/:templateIdentifier` | FormTemplatesController.update |
| engines/form | POST | `/form-templates/:templateIdentifier/create-form` | FormTemplatesController.createFormFromTemplate |
| engines/form | PUT | `/forms/:formIdentifier/versions/:version/translations/:locale` | FormTranslationsController.upsert |
| engines/form | POST | `/forms/:formIdentifier/versions/:version/translations/import` | FormTranslationsController.batchImport |
| engines/form | POST | `/forms/:formIdentifier/versions` | FormVersionsController.create |
| engines/form | PATCH | `/forms/:formIdentifier/versions/:version` | FormVersionsController.update |
| engines/form | POST | `/forms/:formIdentifier/versions/:version/deprecate` | FormVersionsController.deprecate |
| engines/form | POST | `/forms/:formIdentifier/versions/_actions/set-default` | FormVersionsController.setDefault |
| engines/form | POST | `/forms/:formIdentifier/versions/:version/submit-review` | FormVersionsController.submitForReview |
| engines/form | POST | `/forms/:formIdentifier/versions/:version/review` | FormVersionsController.reviewVersion |
| engines/approval | POST | `/approval/admin/sync` | ApprovalController.syncDefinitions |
| engines/approval | POST | `/approval/:instanceId/return` | ApprovalController.return |
| engines/approval | POST | `/approval/:instanceId/approver-withdraw` | ApprovalController.approverWithdraw |
| engines/approval | POST | `/approval/:instanceId/add-sign` | ApprovalController.addSign |
| core/messaging | POST | `/notifications/:id/retry` | NotificationController.retry |
| core/messaging | POST | `/notifications/templates` | NotificationController.createTemplate |
| core/messaging | PUT | `/notifications/templates/:code` | NotificationController.updateTemplate |
| core/messaging | POST | `/notifications/templates/test-render` | NotificationController.testRender |
| core/compute | POST | `/automation/tasks` | AutomationController.create |
| core/compute | PATCH | `/automation/tasks/:id` | AutomationController.update |
| core/compute | POST | `/automation/tasks/:id/pause` | AutomationController.pause |
| core/compute | POST | `/automation/tasks/:id/execute` | AutomationController.execute |