重构权限模型，使用映射结构替代对象定义，更新相关接口和测试用例

Author: hotlong

docs/guide/security-guide.md

@@ -19,16 +19,19 @@ The security configuration supports both **Role-Based Access Control (RBAC)** an
 
 ## 2. Policy Definition (`.policy.yml`)
 
-A **Policy** is a reusable collection of permission statements without being tied to a specific user identity. It defines "what can be done".
+A **Policy** is a reusable collection of permission statements without being tied to a specific user identity. 
+
+To facilitate storage in database JSONB columns and efficient querying, the structure uses a **Map** keyed by object name.
 
 **File:** `/security/policies/contract_manage.policy.yml`
 
 ```yaml
 name: contract_manage
 description: Standard contract management rules
 
-statements:
-  - object: contracts
+# Map structure: Key is the Object Name
+permissions:
+  contracts:
     actions: [read, create, update] # No delete permission
 
     # Row Level Security (RLS)
@@ -43,7 +46,7 @@ statements:
 
 ## 3. Role Definition (`.role.yml`)
 
-A **Role** defines an identity and assigns permissions. It can compose permissions by referencing **Managed Policies** or defining **Inline Policies**.
+A **Role** defines an identity and assigns permissions. It can compose permissions by referencing **Managed Policies** or defining **Online Permissions**.
 
 **File:** `/security/roles/sales_rep.role.yml`
 
@@ -58,10 +61,10 @@ policies:
   - contract_manage      # References contract_manage.policy.yml
   - base_read_only       # References base_read_only.policy.yml
 
-# 2. Inline Policies (Specific)
+# 2. Inline Permissions (Specific)
 # Valid specifically for this role, not shared
-inline_policies:
-  - object: leads
+permissions:
+  leads:
     actions: [read, create]
     filters:
       - ['status', '=', 'new']
@@ -71,7 +74,7 @@ inline_policies:
 
 When a user with the role `sales_rep` executes a query:
 1.  The system loads all referenced **Managed Policies**.
-2.  The system loads all **Inline Policies**.
-3.  All policies are **merged (Union)**.
+2.  The system loads all **Inline Permissions**.
+3.  All permissions are **merged (Union)**.
     *   If *any* policy allows access to an object, access is granted.
     *   If multiple policies define RLS filters for the same object, they are typically combined with `OR`.

packages/core/src/metadata.ts

@@ -104,9 +104,6 @@ export interface FieldConfig {
  * Defines a permission rule for a specific object.
  */
 export interface PolicyStatement {
-    /** The object API name. Use '*' (wildcard) carefully. */
-    object: string;
-    
     /** Allowed actions. */
     actions: Array<'read' | 'create' | 'update' | 'delete' | '*'>;
 
@@ -129,7 +126,8 @@ export interface PolicyStatement {
 export interface PolicyConfig {
     name: string;
     description?: string;
-    statements: PolicyStatement[];
+    /** Map of Object Name to Permission Rules */
+    permissions: Record<string, PolicyStatement>;
 }
 
 /**
@@ -141,8 +139,8 @@ export interface RoleConfig {
     description?: string;
     /** List of policy names to include. */
     policies?: string[];
-    /** Specific rules defined directly in this role. */
-    inline_policies?: PolicyStatement[];
+    /** Map of inline permissions. */
+    permissions?: Record<string, PolicyStatement>;
 }
 
 export interface ActionConfig {

packages/core/src/security.ts

@@ -36,17 +36,27 @@ export class SecurityEngine {
             if (role.policies) {
                 for (const policyName of role.policies) {
                     const policy = this.policies.get(policyName);
-                    if (policy) {
-                        const statements = policy.statements.filter(s => s.object === objectName || s.object === '*');
-                        effectiveStatements.push(...statements);
+                    if (policy && policy.permissions) {
+                        // Check for specific object permission
+                        if (policy.permissions[objectName]) {
+                            effectiveStatements.push(policy.permissions[objectName]);
+                        }
+                        // Check for wildcard object permission
+                        if (policy.permissions['*']) {
+                            effectiveStatements.push(policy.permissions['*']);
+                        }
                     }
                 }
             }
 
             // Inline Policies
-            if (role.inline_policies) {
-                const statements = role.inline_policies.filter(s => s.object === objectName || s.object === '*');
-                effectiveStatements.push(...statements);
+            if (role.permissions) {
+                if (role.permissions[objectName]) {
+                    effectiveStatements.push(role.permissions[objectName]);
+                }
+                if (role.permissions['*']) {
+                    effectiveStatements.push(role.permissions['*']);
+                }
             }
         }
 

packages/core/test/security.test.ts

@@ -16,7 +16,7 @@ describe('SecurityEngine', () => {
     });
 
     it('should deny access if role has no permission', () => {
-        const role: RoleConfig = { name: 'guest', inline_policies: [] };
+        const role: RoleConfig = { name: 'guest', permissions: {} };
         security.registerRole(role);
 
         const ctx: any = { roles: ['guest'], object: {} as any, transaction: {} as any, sudo: () => ctx };
@@ -27,9 +27,9 @@ describe('SecurityEngine', () => {
     it('should allow access via inline policy', () => {
         const role: RoleConfig = {
             name: 'admin',
-            inline_policies: [
-                { object: 'project', actions: ['read'] }
-            ]
+            permissions: {
+                project: { actions: ['read'] }
+            }
         };
         security.registerRole(role);
 
@@ -41,9 +41,9 @@ describe('SecurityEngine', () => {
     it('should allow access via managed policy', () => {
         const policy: PolicyConfig = {
             name: 'read_access',
-            statements: [
-                { object: 'project', actions: ['read'] }
-            ]
+            permissions: {
+                project: { actions: ['read'] }
+            }
         };
         const role: RoleConfig = {
             name: 'viewer',
@@ -60,13 +60,12 @@ describe('SecurityEngine', () => {
     it('should return RLS filters', () => {
         const policy: PolicyConfig = {
             name: 'owner_only',
-            statements: [
-                {
-                    object: 'project',
+            permissions: {
+                project: {
                     actions: ['read'],
                     filters: [['owner', '=', '$user.id']]
                 }
-            ]
+            }
         };
         const role: RoleConfig = {
             name: 'user',
@@ -86,12 +85,16 @@ describe('SecurityEngine', () => {
         // Policy 1: Own projects
         const p1: PolicyConfig = {
             name: 'own_projects',
-            statements: [{ object: 'project', actions: ['read'], filters: [['owner', '=', 'me']] }]
+            permissions: {
+                project: { actions: ['read'], filters: [['owner', '=', 'me']] }
+            }
         };
         // Policy 2: Public projects
         const p2: PolicyConfig = {
             name: 'public_projects',
-            statements: [{ object: 'project', actions: ['read'], filters: [['public', '=', true]] }]
+            permissions: {
+                project: { actions: ['read'], filters: [['public', '=', true]] }
+            }
         };
 
         const role: RoleConfig = {