"""RBAC 权限与独立性约束(R19、PRD §6 权限矩阵)。 核心独立性规则(硬约束): - 任何角色都不能删除线索(DELETE_CLUE 不授予任何角色;数据库触发器再兜底)。 - 业务方(business)对系统无任何写权限。 - 配规则/改阈值/看线索/出报告分权制衡。 """ from __future__ import annotations import enum class Role(str, enum.Enum): AUDITOR = "auditor" # 审计员 AUDIT_MANAGER = "audit_manager" # 审计主管 RULE_ADMIN = "rule_admin" # 规则管理员 SYS_ADMIN = "sys_admin" # 系统管理员 SYS_AUDITOR = "sys_auditor" # 系统审计员(独立监督) BUSINESS = "business" # 被审计业务方(无写权限) class Permission(str, enum.Enum): QUERY = "query" # 自然语言查询 VIEW_CLUE = "view_clue" # 查看线索 ADJUDICATE_CLUE = "adjudicate_clue" # 研判/定性线索 ASSIGN_CLUE = "assign_clue" # 分派线索 DELETE_CLUE = "delete_clue" # 删除线索(禁止授予任何人) CONFIG_RULE = "config_rule" # 配置规则 ADJUST_THRESHOLD = "adjust_threshold" # 调整阈值 ISSUE_REPORT = "issue_report" # 出具报告 DATA_INGEST = "data_ingest" # 数据接入配置 VIEW_AUDIT_TRAIL = "view_audit_trail" # 查看自审计轨迹 MODEL_DEPLOY = "model_deploy" # 模型部署/升级 # 角色 -> 权限集合。注意:DELETE_CLUE 不出现在任何角色中(线索不可删,R19)。 ROLE_PERMISSIONS: dict[Role, set[Permission]] = { Role.AUDITOR: { Permission.QUERY, Permission.VIEW_CLUE, Permission.ADJUDICATE_CLUE, Permission.ISSUE_REPORT, }, Role.AUDIT_MANAGER: { Permission.QUERY, Permission.VIEW_CLUE, Permission.ADJUDICATE_CLUE, Permission.ASSIGN_CLUE, Permission.ISSUE_REPORT, }, Role.RULE_ADMIN: { Permission.QUERY, Permission.VIEW_CLUE, Permission.CONFIG_RULE, Permission.ADJUST_THRESHOLD, }, Role.SYS_ADMIN: { Permission.DATA_INGEST, Permission.MODEL_DEPLOY, }, Role.SYS_AUDITOR: { Permission.QUERY, Permission.VIEW_CLUE, Permission.VIEW_AUDIT_TRAIL, Permission.ISSUE_REPORT, }, Role.BUSINESS: set(), # 业务方无任何权限 } def has_permission(role: Role, perm: Permission) -> bool: return perm in ROLE_PERMISSIONS.get(role, set()) def can_delete_clue(role: Role) -> bool: """线索不可删除——对所有角色恒为 False(独立性硬约束)。""" return False