From 6c97d7ef1eb0bd6dd53ddc4c6f570c1c08d392f2 Mon Sep 17 00:00:00 2001
From: zichun <zhuzichunhogan@gmail.com>
Date: Fri, 15 May 2026 09:11:31 +0800
Subject: [PATCH] chore(usr): docs/05 去 password 字段 + ErrorCode 新增 40301/40901/40902 REQ-USR-002

---
 backend/src/main/java/com/xly/erp/common/response/ErrorCode.java     |  6 ++++++
 backend/src/test/java/com/xly/erp/common/response/ErrorCodeTest.java | 29 +++++++++++++++++++++++++++++
 docs/05-API接口契约.md                                           | 10 +++++-----
 3 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 backend/src/test/java/com/xly/erp/common/response/ErrorCodeTest.java

diff --git a/backend/src/main/java/com/xly/erp/common/response/ErrorCode.java b/backend/src/main/java/com/xly/erp/common/response/ErrorCode.java
index 387dc5b..6a30283 100644
--- a/backend/src/main/java/com/xly/erp/common/response/ErrorCode.java
+++ b/backend/src/main/java/com/xly/erp/common/response/ErrorCode.java
@@ -16,8 +16,13 @@ public final class ErrorCode {
     public static final int BAD_CREDENTIALS     = 40101;
     public static final int ACCOUNT_DELETED     = 40103;
 
+    public static final int FORBIDDEN           = 40301;
+
     public static final int ACCOUNT_LOCKED      = 42301;
 
+    public static final int CONFLICT_USERNAME   = 40901;
+    public static final int CONFLICT_USERCODE   = 40902;
+
     public static final int INTERNAL_ERROR      = 50000;
 
     /**
@@ -31,6 +36,7 @@ public final class ErrorCode {
         if (hundreds == 401) return 401;
         if (hundreds == 403) return 403;
         if (hundreds == 404) return 404;
+        if (hundreds == 409) return 409;
         if (hundreds == 423) return 423;
         if (hundreds == 500) return 500;
         return 500;
diff --git a/backend/src/test/java/com/xly/erp/common/response/ErrorCodeTest.java b/backend/src/test/java/com/xly/erp/common/response/ErrorCodeTest.java
new file mode 100644
index 0000000..d269a22
--- /dev/null
+++ b/backend/src/test/java/com/xly/erp/common/response/ErrorCodeTest.java
@@ -0,0 +1,29 @@
+package com.xly.erp.common.response;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class ErrorCodeTest {
+
+    @Test
+    void httpMappings_coverNewCodes() {
+        assertEquals(403, ErrorCode.toHttpStatus(ErrorCode.FORBIDDEN));
+        assertEquals(409, ErrorCode.toHttpStatus(ErrorCode.CONFLICT_USERNAME));
+        assertEquals(409, ErrorCode.toHttpStatus(ErrorCode.CONFLICT_USERCODE));
+        assertEquals(40301, ErrorCode.FORBIDDEN);
+        assertEquals(40901, ErrorCode.CONFLICT_USERNAME);
+        assertEquals(40902, ErrorCode.CONFLICT_USERCODE);
+    }
+
+    @Test
+    void httpMappings_existingCodes_unchanged() {
+        assertEquals(200, ErrorCode.toHttpStatus(ErrorCode.OK));
+        assertEquals(400, ErrorCode.toHttpStatus(ErrorCode.BAD_REQUEST));
+        assertEquals(400, ErrorCode.toHttpStatus(ErrorCode.COMPANY_NOT_FOUND));
+        assertEquals(401, ErrorCode.toHttpStatus(ErrorCode.BAD_CREDENTIALS));
+        assertEquals(401, ErrorCode.toHttpStatus(ErrorCode.ACCOUNT_DELETED));
+        assertEquals(423, ErrorCode.toHttpStatus(ErrorCode.ACCOUNT_LOCKED));
+        assertEquals(500, ErrorCode.toHttpStatus(ErrorCode.INTERNAL_ERROR));
+    }
+}
diff --git a/docs/05-API接口契约.md b/docs/05-API接口契约.md
index 672ce83..18adc62 100644
--- a/docs/05-API接口契约.md
+++ b/docs/05-API接口契约.md
@@ -71,16 +71,16 @@ BasePath: `/api/v1`
 - **Method**: POST
 - **Path**: `/api/v1/users`
 - **Auth**: Bearer Token；仅 `userType=SUPER_ADMIN` 可调用
-- **请求**: JSON body `CreateUserReq { username: string (3-20), userCode: string, password: string (8-20 含大小写字母和数字), userType: "NORMAL"|"SUPER_ADMIN", language: "zh-CN"|"en-US"|"zh-TW", canEditDocument: boolean, employeeId?: int, permissionCategoryIds: int[] }`
-- **响应**: JSON `UserVo { userId: int, username: string }`（HTTP 201）
+- **请求**: JSON body `CreateUserReq { username: string (3-20，正则 ^[A-Za-z0-9_]{3,20}$), userCode: string (max 50), userType: "NORMAL"|"SUPER_ADMIN", language: "zh-CN"|"en-US"|"zh-TW", canEditDocument: boolean, employeeId?: int, permissionCategoryIds?: int[] }`。**初始密码由系统统一设为 `"666666"`（BCrypt 哈希后入库），请求体不接受 `password` 字段（出现即返 40001）。**
+- **响应**: JSON `CreateUserVo { userId: int, username: string, userCode: string }`（HTTP 201）
 
 #### 错误码
-- `40001` — 必填字段缺失或格式错误
-- `40002` — 密码强度不满足（少于 8 位 / 缺大小写字母 / 缺数字）
+- `40001` — 必填字段缺失或格式错误（含携带未知字段如 `password`）
+- `40004` — 指定的员工 / 权限分类不存在
+- `40101` — 未携带或无效 Token
 - `40301` — 当前用户非超级管理员，无权调用
 - `40901` — 用户名已存在
 - `40902` — 用户号已存在
-- `40004` — 指定的员工 / 权限分类不存在
 
 ### REQ-USR-003 修改用户
 
--
libgit2 0.22.2