fix: add Scope=Project to project-level policy attach/detach

Without Scope parameter, AttachUserPolicy defaults to Global scope
even when ProjectName is provided. Adding Scope=Project ensures
policies are correctly limited to the specified project.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/utils/iam_service.py

@@ -92,12 +92,13 @@ class IAMService:
 
     def attach_policy_in_project(self, username: str, policy_name: str,
                                   project_name: str, policy_type: str = "System") -> dict:
-        """在项目范围内授权"""
+        """在项目范围内授权（限定到指定项目）"""
         return self.client.call("AttachUserPolicy", {
             "UserName": username,
             "PolicyName": policy_name,
             "PolicyType": policy_type,
             "ProjectName": project_name,
+            "Scope": "Project",
         })
 
     def detach_policy_in_project(self, username: str, policy_name: str,
@@ -108,6 +109,7 @@ class IAMService:
             "PolicyName": policy_name,
             "PolicyType": policy_type,
             "ProjectName": project_name,
+            "Scope": "Project",
         })
 
     # === Deny Policy (project isolation) ===