feat(v0.7.1): P0 修复 + 企微 SSO + RBAC 细粒度 + audit_log

P0 修复:
- /api/ready import 错误 (_get_engine + settings.create_redis_client)
- 删 agent.otp_secret/otp_enabled 双字段 (migration 026)
- 重建 021_rbac migration (IF NOT EXISTS 兼容)

P1 新增:
- 企微 SSO (auth_wecom_sso.py, useWeChatWorkSSO composable, PortalSelect UA 检测)
- RBAC 5 角色 × 4 资源 × 4 操作 × 3 范围 (rbac_service + seed_rbac + require_permission)
- audit_log 模型 + migration 027 + 服务 + API
- 管理后台 RBAC 权限矩阵 UI (PermissionsMatrix.vue)

质量:
- pytest 405 passed / 33 pre-existing failed / 4 xfailed (v0.7.1 引入失败 = 0)
- conftest GBK patch 强制 UTF-8 读 .env
- .gitignore 排除 *.b64 (含 admin token 凭据)
- DEPLOY-v0.7.1.md 7 步 runbook + 4 坑 + 回滚预案

backend/app/api/audit_logs.py

@@ -0,0 +1,75 @@
+# =============================================================================
+# 企微IT智能服务台 — 审计日志 API (v0.7.1 task #89)
+# =============================================================================
+# 说明: 审计日志只读端点,给 auditor / admin 用
+# 权限要求: audit_log:read:all (由 RBAC 装饰器校验)
+# =============================================================================
+
+import logging
+from datetime import datetime
+from typing import Optional
+
+from fastapi import APIRouter, Depends, Query
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.dependencies import require_permission, UserInfo
+from app.database import get_db
+from app.services.audit_log_service import list_audit_logs
+from app.utils.response import success_response
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/admin/audit-logs", tags=["审计日志"])
+
+
+@router.get("")
+@require_permission("audit_log", "read", "all")
+async def get_audit_logs(
+    employee_id: Optional[str] = Query(None, description="按操作人过滤"),
+    action: Optional[str] = Query(None, description="按操作类型过滤"),
+    resource: Optional[str] = Query(None, description="按资源类型过滤"),
+    from_time: Optional[datetime] = Query(None, alias="from", description="起始时间(ISO8601)"),
+    to_time: Optional[datetime] = Query(None, alias="to", description="结束时间(ISO8601)"),
+    page: int = Query(1, ge=1, description="页码"),
+    page_size: int = Query(50, ge=1, le=500, description="每页条数"),
+    admin: UserInfo = None,  # 由 require_permission 注入(签名合并)
+    db: AsyncSession = Depends(get_db),
+):
+    """查询审计日志(分页)。
+
+    权限: 需要 audit_log:read:all (admin / auditor 角色拥有)
+
+    Returns:
+        Dict: 统一响应格式,包含 items/total/page/page_size
+    """
+    result = await list_audit_logs(
+        db,
+        employee_id=employee_id,
+        action=action,
+        resource=resource,
+        from_time=from_time,
+        to_time=to_time,
+        page=page,
+        page_size=page_size,
+    )
+
+    return success_response(data={
+        "items": [
+            {
+                "id": log.id,
+                "employee_id": log.employee_id,
+                "action": log.action,
+                "resource": log.resource,
+                "resource_id": log.resource_id,
+                "details": log.details,
+                "result": log.result,
+                "ip_address": log.ip_address,
+                "user_agent": log.user_agent,
+                "created_at": log.created_at.isoformat() if log.created_at else None,
+            }
+            for log in result["items"]
+        ],
+        "total": result["total"],
+        "page": result["page"],
+        "page_size": result["page_size"],
+    })