Project-level authorization:
- Adding a project to a sub-account now auto-calls AttachPolicyInProject
to grant default policies (ArkFullAccess, TOSFullAccess) in that project scope
- Removing a project auto-calls DetachPolicyInProject to revoke those policies
- Each project records which policies were attached (attached_policies field)
so removal knows exactly what to revoke
Configuration:
- GlobalConfig.default_project_policies: configurable list of policies to
auto-attach (editable in Settings page, defaults to ArkFullAccess + TOSFullAccess)
IAM Service:
- Added attach_policy_in_project() and detach_policy_in_project() methods
using standard AttachUserPolicy/DetachUserPolicy with ProjectName parameter
Frontend:
- Projects dialog now shows "已授权策略" column with policy tags
- Settings page has "项目默认授权策略" config field
Alert logging:
- Project add/remove operations are logged with attached/detached policy details
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
