重构数据权限模型并清理旧RBAC代码

核心变更：
- 数据权限过滤从基于账号层级改为基于用户类型的多策略过滤
- 移除 AccountStore 中的 GetSubordinateIDs 等旧方法
- 重构认证中间件，支持 enterprise_id 和 customer_id
- 更新 GORM Callback，根据用户类型自动选择过滤策略（代理/企业/个人客户）
- 更新所有集成测试以适配新的 API 签名
- 添加功能总结文档和 OpenSpec 归档

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

tests/integration/account_role_test.go

@@ -81,7 +81,7 @@ func TestAccountRoleAssociation_AssignRoles(t *testing.T) {
 	accService := accountService.New(accountStore, roleStore, accountRoleStore)
 
 	// 创建测试用户上下文
-	userCtx := middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	userCtx := middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	t.Run("成功分配单个角色", func(t *testing.T) {
 		// 创建测试账号
@@ -307,7 +307,7 @@ func TestAccountRoleAssociation_SoftDelete(t *testing.T) {
 	accountRoleStore := postgresStore.NewAccountRoleStore(db)
 	accService := accountService.New(accountStore, roleStore, accountRoleStore)
 
-	userCtx := middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	userCtx := middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	t.Run("软删除角色后重新分配可以恢复", func(t *testing.T) {
 		// 创建测试数据

tests/integration/account_test.go

@@ -167,7 +167,7 @@ func TestAccountAPI_Create(t *testing.T) {
 	// 创建一个测试用的中间件来设置用户上下文
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -272,7 +272,7 @@ func TestAccountAPI_Get(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -330,7 +330,7 @@ func TestAccountAPI_Update(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -374,7 +374,7 @@ func TestAccountAPI_Delete(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -411,7 +411,7 @@ func TestAccountAPI_List(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -456,7 +456,7 @@ func TestAccountAPI_AssignRoles(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -507,7 +507,7 @@ func TestAccountAPI_GetRoles(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -560,7 +560,7 @@ func TestAccountAPI_RemoveRole(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})

tests/integration/api_regression_test.go

@@ -121,7 +121,7 @@ func setupRegressionTestEnv(t *testing.T) *regressionTestEnv {
 
 	// 添加测试中间件设置用户上下文
 	app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), 1, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})

tests/integration/auth_test.go

@@ -53,13 +53,13 @@ func setupAuthTestApp(t *testing.T, rdb *redis.Client) *fiber.App {
 	// Add authentication middleware
 	tokenValidator := validator.NewTokenValidator(rdb, logger.GetAppLogger())
 	app.Use(middleware.Auth(middleware.AuthConfig{
-		TokenValidator: func(token string) (uint, int, uint, error) {
+		TokenValidator: func(token string) (*middleware.UserContextInfo, error) {
 			_, err := tokenValidator.Validate(token)
 			if err != nil {
-				return 0, 0, 0, err
+				return nil, err
 			}
 			// 测试中简化处理：userID 设为 1，userType 设为普通用户
-			return 1, 0, 0, nil
+			return middleware.NewSimpleUserContext(1, 0, 0), nil
 		},
 	}))
 
@@ -352,13 +352,13 @@ func TestKeyAuthMiddleware_UserIDPropagation(t *testing.T) {
 	// Add authentication middleware
 	tokenValidator := validator.NewTokenValidator(rdb, logger.GetAppLogger())
 	app.Use(middleware.Auth(middleware.AuthConfig{
-		TokenValidator: func(token string) (uint, int, uint, error) {
+		TokenValidator: func(token string) (*middleware.UserContextInfo, error) {
 			_, err := tokenValidator.Validate(token)
 			if err != nil {
-				return 0, 0, 0, err
+				return nil, err
 			}
 			// 测试中简化处理：userID 设为 1，userType 设为普通用户
-			return 1, 0, 0, nil
+			return middleware.NewSimpleUserContext(1, 0, 0), nil
 		},
 	}))
 

tests/integration/permission_test.go

@@ -117,7 +117,7 @@ func TestPermissionAPI_Create(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -221,7 +221,7 @@ func TestPermissionAPI_Get(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -267,7 +267,7 @@ func TestPermissionAPI_Update(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -310,7 +310,7 @@ func TestPermissionAPI_Delete(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -346,7 +346,7 @@ func TestPermissionAPI_List(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -390,7 +390,7 @@ func TestPermissionAPI_GetTree(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})

tests/integration/role_permission_test.go

@@ -64,7 +64,7 @@ func TestRolePermissionAssociation_AssignPermissions(t *testing.T) {
 	roleSvc := roleService.New(roleStore, permStore, rolePermStore)
 
 	// 创建测试用户上下文
-	userCtx := middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	userCtx := middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	t.Run("成功分配单个权限", func(t *testing.T) {
 		// 创建测试角色
@@ -270,7 +270,7 @@ func TestRolePermissionAssociation_SoftDelete(t *testing.T) {
 	rolePermStore := postgresStore.NewRolePermissionStore(db)
 	roleSvc := roleService.New(roleStore, permStore, rolePermStore)
 
-	userCtx := middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	userCtx := middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	t.Run("软删除权限后重新分配可以恢复", func(t *testing.T) {
 		// 创建测试数据

tests/integration/role_test.go

@@ -159,7 +159,7 @@ func TestRoleAPI_Create(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -217,7 +217,7 @@ func TestRoleAPI_Get(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -262,7 +262,7 @@ func TestRoleAPI_Update(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -304,7 +304,7 @@ func TestRoleAPI_Delete(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -339,7 +339,7 @@ func TestRoleAPI_List(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -375,7 +375,7 @@ func TestRoleAPI_AssignPermissions(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -425,7 +425,7 @@ func TestRoleAPI_GetPermissions(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})
@@ -475,7 +475,7 @@ func TestRoleAPI_RemovePermission(t *testing.T) {
 	// 添加测试中间件
 	testUserID := uint(1)
 	env.app.Use(func(c *fiber.Ctx) error {
-		ctx := middleware.SetUserContext(c.UserContext(), testUserID, constants.UserTypeSuperAdmin, 0)
+		ctx := middleware.SetUserContext(c.UserContext(), middleware.NewSimpleUserContext(testUserID, constants.UserTypeSuperAdmin, 0))
 		c.SetUserContext(ctx)
 		return c.Next()
 	})

tests/unit/permission_platform_filter_test.go

@@ -24,7 +24,7 @@ func TestPermissionPlatformFilter_List(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建不同 platform 的权限
 	permissions := []*model.Permission{
@@ -108,7 +108,7 @@ func TestPermissionPlatformFilter_CreateWithDefaultPlatform(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建权限时不指定 platform
 	req := &model.CreatePermissionRequest{
@@ -132,7 +132,7 @@ func TestPermissionPlatformFilter_CreateWithSpecificPlatform(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	tests := []struct {
 		name     string
@@ -169,7 +169,7 @@ func TestPermissionPlatformFilter_Tree(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建层级权限
 	parent := &model.Permission{

tests/unit/role_assignment_limit_test.go

@@ -26,7 +26,7 @@ func TestRoleAssignmentLimit_PlatformUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建平台用户
 	platformUser := &model.Account{
@@ -66,7 +66,7 @@ func TestRoleAssignmentLimit_AgentUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建代理账号
 	agentAccount := &model.Account{
@@ -109,7 +109,7 @@ func TestRoleAssignmentLimit_EnterpriseUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建企业账号
 	enterpriseAccount := &model.Account{
@@ -152,7 +152,7 @@ func TestRoleAssignmentLimit_SuperAdmin(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建超级管理员
 	superAdmin := &model.Account{