infra文件结构修改

docs/subModule/iam.md

@@ -1 +1,99 @@
 # 认证服务
+
+```mermaid
+flowchart TB
+  U[User / Client] -->|login| GW[API Gateway]
+  GW -->|auth request| IAM[IAM Auth Service]
+  IAM -->|issue tokens| GW
+  GW -->|return tokens| U
+
+  U -->|API request with access token| GW
+  GW -->|forward request| T[Todo Service]
+
+  subgraph IAM_Core[IAM Core]
+    IAM --> KMS[Key Store]
+    IAM --> JWKS[JWKS Endpoint]
+    IAM --> RT[Refresh Token Store]
+    IAM --> IDP[User Org Role Store]
+  end
+
+  T -->|fetch public keys| JWKS
+  T -->|verify JWT locally| T
+  T -->|resource authorization| DB[Todo Database]
+
+  T -->|optional version or revoke check| R[Redis Cache]
+  IAM -->|update version or revoke| R
+
+  T -->|emit events| MQ[Kafka]
+  MQ --> N[Notification Service]
+  MQ --> S[Search Service]
+```
+
+```mermaid
+sequenceDiagram
+  autonumber
+  participant C as Client
+  participant GW as API Gateway
+  participant IAM as IAM/Auth
+  participant JWKS as JWKS Endpoint
+  participant T as Task Service
+  participant DB as Postgres
+  participant R as Redis(ver/jti)
+
+  %% Login
+  C->>GW: POST /auth/login (username/password)
+  GW->>IAM: forward /auth/login
+  IAM->>IAM: validate credentials
+  IAM->>IAM: issue access_token(JWT) + refresh_token
+  IAM->>GW: 200 tokens
+  GW->>C: 200 tokens (store refresh safely)
+
+  %% Normal API call (local verify)
+  C->>GW: GET /tasks (Authorization: Bearer access)
+  GW->>T: forward request (+ traceId)
+
+  alt JWKS cache miss
+    T->>JWKS: GET /.well-known/jwks.json
+    JWKS-->>T: public keys
+  end
+
+  T->>T: verify JWT signature + iss/aud/exp
+  opt fast invalidation check (recommended)
+    T->>R: GET auth_ver:{sub} or revoked_jti:{jti}
+    R-->>T: ok / mismatch
+  end
+  T->>DB: query tasks WHERE tenant_id=tid AND (owner=sub OR permission)
+  DB-->>T: tasks
+  T-->>GW: 200 tasks
+  GW-->>C: 200 tasks
+
+  %% Access expired -> refresh
+  C->>GW: GET /tasks (access expired)
+  GW-->>C: 401 token_expired
+  C->>GW: POST /auth/refresh (refresh_token)
+  GW->>IAM: forward refresh
+  IAM->>IAM: validate refresh token (rotation/reuse detection)
+  IAM->>IAM: issue new access + new refresh
+  IAM-->>GW: 200 new tokens
+  GW-->>C: 200 new tokens
+  C->>GW: retry GET /tasks (new access)
+  GW->>T: forward
+  T->>T: verify JWT ...
+  T->>DB: query ...
+  DB-->>T: tasks
+  T-->>GW: 200
+  GW-->>C: 200
+
+  %% Role change / revoke (how to take effect)
+  Note over IAM,R: Admin changes role OR user logs out\nIAM increments auth_ver or revokes jti
+  IAM->>R: SET auth_ver:{sub}=newVersion OR SET revoked_jti:{jti}=1
+
+  %% After role change
+  C->>GW: POST /tasks (Authorization: Bearer old access)
+  GW->>T: forward
+  T->>T: verify JWT ok (signature still valid)
+  T->>R: GET auth_ver:{sub} / revoked_jti:{jti}
+  R-->>T: mismatch / revoked
+  T-->>GW: 401/403 (reauth required)
+  GW-->>C: 401/403
+```