feat(ai): Phase 1B 角色沙箱 — 三级权限隔离 + Tool 过滤 + 输出控制

- 新增 agent/sandbox.rs: UserRole/SandboxConfig/OutputFilter 三级模型 - resolve_role() 从 JWT roles 解析为 Patient/MedicalStaff/Admin - ToolRegistry.tool_definitions_filtered() 按角色白名单过滤 - orchestrator.run() 新增 allowed_tools 参数，Tool 执行时二次校验 - chat_handler 集成沙箱：角色 Prompt 后缀 + 患者免责声明追加
2026-05-18 23:28:30 +08:00
parent 7e3d27ecf3
commit 5ba28ea349
5 changed files with 163 additions and 8 deletions
--- a/crates/erp-ai/src/agent/orchestrator.rs
+++ b/crates/erp-ai/src/agent/orchestrator.rs
@@ -54,8 +54,12 @@ impl AgentOrchestrator {
        messages: &mut Vec<ChatMessage>,
        ctx: &ToolContext,
        params: &AgentRunParams,
+        allowed_tools: Option<&std::collections::HashSet<String>>,
    ) -> AiResult<AgentRunResult> {
-        let tools = self.tool_registry.tool_definitions();
+        let tools = match allowed_tools {
+            Some(allowed) => self.tool_registry.tool_definitions_filtered(allowed),
+            None => self.tool_registry.tool_definitions(),
+        };
        let mut iterations = 0;
        let mut total_input_tokens = 0u32;
        let mut total_output_tokens = 0u32;
@@ -113,12 +117,22 @@ impl AgentOrchestrator {
                tool_call_id: None,
            });

-            // 执行每个 Tool Call
+            // 执行每个 Tool Call（受沙箱 allowed_tools 约束）
            for tc in &tool_calls {
                let tool_result = match self.tool_registry.get(&tc.name) {
                    Some(tool) => {
-                        let result = tool.execute(ctx, tc.arguments.clone()).await;
-                        result.output
+                        // 沙箱过滤：如果 allowed_tools 存在且不包含此 Tool，拒绝执行
+                        if let Some(allowed) = allowed_tools {
+                            if !allowed.contains(tc.name.as_str()) {
+                                format!("Tool '{}' 在当前角色下不可用", tc.name)
+                            } else {
+                                let result = tool.execute(ctx, tc.arguments.clone()).await;
+                                result.output
+                            }
+                        } else {
+                            let result = tool.execute(ctx, tc.arguments.clone()).await;
+                            result.output
+                        }
                    }
                    None => format!("未知 Tool: {}", tc.name),
                };