feat: 구매/안전 시스템 전면 개편 — tkpurchase 개편 + tksafety 신규 + 권한 보강

Phase 1: tkuser 협력업체 CRUD 이관 (읽기전용 → 전체 CRUD)
Phase 2: tkpurchase 개편 — 일용공 신청/확정, 작업일정, 업무현황, 계정관리, 협력업체 포털
Phase 3: tksafety 신규 시스템 — 방문관리 + 안전교육 신고
Phase 4: SSO 인증 보강 (partner_company_id JWT, 만료일 체크), 권한 테이블 기반 접근 제어

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tkpurchase/api/models/checkinModel.js

@@ -0,0 +1,67 @@
+const { getPool } = require('./partnerModel');
+
+async function findBySchedule(scheduleId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT pc.*, pco.company_name, su.name AS checked_by_name
+     FROM partner_checkins pc
+     LEFT JOIN partner_companies pco ON pc.company_id = pco.id
+     LEFT JOIN sso_users su ON pc.checked_by = su.user_id
+     WHERE pc.schedule_id = ?
+     ORDER BY pc.check_in_time DESC`, [scheduleId]);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT pc.*, pco.company_name, su.name AS checked_by_name
+     FROM partner_checkins pc
+     LEFT JOIN partner_companies pco ON pc.company_id = pco.id
+     LEFT JOIN sso_users su ON pc.checked_by = su.user_id
+     WHERE pc.id = ?`, [id]);
+  return rows[0] || null;
+}
+
+async function findTodayByCompany(companyId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT pc.*, ps.work_description, ps.workplace_name
+     FROM partner_checkins pc
+     LEFT JOIN partner_schedules ps ON pc.schedule_id = ps.id
+     WHERE pc.company_id = ? AND DATE(pc.check_in_time) = CURDATE()
+     ORDER BY pc.check_in_time DESC`, [companyId]);
+  return rows;
+}
+
+async function checkIn(data) {
+  const db = getPool();
+  const [result] = await db.query(
+    `INSERT INTO partner_checkins (schedule_id, company_id, checked_by, check_in_time, worker_names, actual_worker_count, notes)
+     VALUES (?, ?, ?, NOW(), ?, ?, ?)`,
+    [data.schedule_id, data.company_id, data.checked_by,
+     data.worker_names ? JSON.stringify(data.worker_names) : null,
+     data.actual_worker_count || null, data.notes || null]);
+  return findById(result.insertId);
+}
+
+async function checkOut(id) {
+  const db = getPool();
+  await db.query('UPDATE partner_checkins SET check_out_time = NOW() WHERE id = ? AND check_out_time IS NULL', [id]);
+  return findById(id);
+}
+
+async function update(id, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.worker_names !== undefined) { fields.push('worker_names = ?'); values.push(data.worker_names ? JSON.stringify(data.worker_names) : null); }
+  if (data.actual_worker_count !== undefined) { fields.push('actual_worker_count = ?'); values.push(data.actual_worker_count || null); }
+  if (data.notes !== undefined) { fields.push('notes = ?'); values.push(data.notes || null); }
+  if (fields.length === 0) return findById(id);
+  values.push(id);
+  await db.query(`UPDATE partner_checkins SET ${fields.join(', ')} WHERE id = ?`, values);
+  return findById(id);
+}
+
+module.exports = { findBySchedule, findById, findTodayByCompany, checkIn, checkOut, update };

tkpurchase/api/models/dayLaborModel.js

@@ -0,0 +1,85 @@
+const { getPool } = require('./partnerModel');
+
+async function findAll({ status, date_from, date_to, department_id, page = 1, limit = 50 } = {}) {
+  const db = getPool();
+  let sql = `SELECT dlr.*, su.name AS requester_name, sa.name AS approver_name, d.department_name
+             FROM day_labor_requests dlr
+             LEFT JOIN sso_users su ON dlr.requester_id = su.user_id
+             LEFT JOIN sso_users sa ON dlr.approved_by = sa.user_id
+             LEFT JOIN departments d ON dlr.department_id = d.department_id
+             WHERE 1=1`;
+  const params = [];
+  if (status) { sql += ' AND dlr.status = ?'; params.push(status); }
+  if (date_from) { sql += ' AND dlr.work_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND dlr.work_date <= ?'; params.push(date_to); }
+  if (department_id) { sql += ' AND dlr.department_id = ?'; params.push(department_id); }
+  sql += ' ORDER BY dlr.work_date DESC, dlr.created_at DESC';
+  const offset = (page - 1) * limit;
+  sql += ' LIMIT ? OFFSET ?';
+  params.push(limit, offset);
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT dlr.*, su.name AS requester_name, sa.name AS approver_name, d.department_name
+     FROM day_labor_requests dlr
+     LEFT JOIN sso_users su ON dlr.requester_id = su.user_id
+     LEFT JOIN sso_users sa ON dlr.approved_by = sa.user_id
+     LEFT JOIN departments d ON dlr.department_id = d.department_id
+     WHERE dlr.id = ?`, [id]);
+  return rows[0] || null;
+}
+
+async function create(data) {
+  const db = getPool();
+  const [result] = await db.query(
+    `INSERT INTO day_labor_requests (requester_id, department_id, work_date, worker_count, work_description, workplace_name, notes)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    [data.requester_id, data.department_id || null, data.work_date, data.worker_count || 1,
+     data.work_description || null, data.workplace_name || null, data.notes || null]);
+  return findById(result.insertId);
+}
+
+async function approve(id, approvedBy) {
+  const db = getPool();
+  await db.query(
+    `UPDATE day_labor_requests SET status = 'approved', approved_by = ?, approved_at = NOW() WHERE id = ? AND status = 'pending'`,
+    [approvedBy, id]);
+  return findById(id);
+}
+
+async function reject(id, approvedBy, notes) {
+  const db = getPool();
+  await db.query(
+    `UPDATE day_labor_requests SET status = 'rejected', approved_by = ?, approved_at = NOW(), notes = CONCAT(IFNULL(notes,''), ?, '') WHERE id = ? AND status = 'pending'`,
+    [approvedBy, notes ? '\n[거절사유] ' + notes : '', id]);
+  return findById(id);
+}
+
+async function complete(id) {
+  const db = getPool();
+  await db.query(`UPDATE day_labor_requests SET status = 'completed' WHERE id = ? AND status = 'approved'`, [id]);
+  return findById(id);
+}
+
+async function markSafetyReported(id) {
+  const db = getPool();
+  await db.query(`UPDATE day_labor_requests SET safety_reported = TRUE WHERE id = ?`, [id]);
+}
+
+async function getStats({ date_from, date_to } = {}) {
+  const db = getPool();
+  let dateFilter = '';
+  const params = [];
+  if (date_from) { dateFilter += ' AND work_date >= ?'; params.push(date_from); }
+  if (date_to) { dateFilter += ' AND work_date <= ?'; params.push(date_to); }
+  const [rows] = await db.query(
+    `SELECT status, COUNT(*) AS cnt, SUM(worker_count) AS total_workers
+     FROM day_labor_requests WHERE 1=1 ${dateFilter} GROUP BY status`, params);
+  return rows;
+}
+
+module.exports = { findAll, findById, create, approve, reject, complete, markSafetyReported, getStats };

tkpurchase/api/models/partnerAccountModel.js

@@ -0,0 +1,62 @@
+const { getPool } = require('./partnerModel');
+const bcrypt = require('bcrypt');
+
+async function findByCompany(companyId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT user_id, username, name, role, partner_company_id, account_expires_at, is_active, created_at
+     FROM sso_users WHERE partner_company_id = ?
+     ORDER BY name`, [companyId]);
+  return rows;
+}
+
+async function findById(userId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT user_id, username, name, role, partner_company_id, account_expires_at, is_active, created_at
+     FROM sso_users WHERE user_id = ?`, [userId]);
+  return rows[0] || null;
+}
+
+async function create(data) {
+  const db = getPool();
+  const hash = await bcrypt.hash(data.password, 10);
+  const [result] = await db.query(
+    `INSERT INTO sso_users (username, password_hash, name, role, partner_company_id, account_expires_at, is_active)
+     VALUES (?, ?, ?, 'user', ?, ?, TRUE)`,
+    [data.username, hash, data.name, data.partner_company_id,
+     data.account_expires_at || null]);
+  return findById(result.insertId);
+}
+
+async function update(userId, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.name !== undefined) { fields.push('name = ?'); values.push(data.name); }
+  if (data.account_expires_at !== undefined) { fields.push('account_expires_at = ?'); values.push(data.account_expires_at || null); }
+  if (data.is_active !== undefined) { fields.push('is_active = ?'); values.push(data.is_active); }
+  if (data.password) {
+    const hash = await bcrypt.hash(data.password, 10);
+    fields.push('password_hash = ?');
+    values.push(hash);
+  }
+  if (fields.length === 0) return findById(userId);
+  values.push(userId);
+  await db.query(`UPDATE sso_users SET ${fields.join(', ')} WHERE user_id = ?`, values);
+  return findById(userId);
+}
+
+async function grantDefaultPermissions(userId) {
+  const db = getPool();
+  const pages = ['purchasing_partner_portal', 'purchasing_partner_checkin'];
+  for (const page of pages) {
+    await db.query(
+      `INSERT INTO user_page_permissions (user_id, page_name, can_access)
+       VALUES (?, ?, TRUE)
+       ON DUPLICATE KEY UPDATE can_access = TRUE`,
+      [userId, page]);
+  }
+}
+
+module.exports = { findByCompany, findById, create, update, grantDefaultPermissions };

tkpurchase/api/models/scheduleModel.js

@@ -0,0 +1,84 @@
+const { getPool } = require('./partnerModel');
+
+async function findAll({ company_id, date_from, date_to, status, page = 1, limit = 50 } = {}) {
+  const db = getPool();
+  let sql = `SELECT ps.*, pc.company_name, su.name AS registered_by_name
+             FROM partner_schedules ps
+             LEFT JOIN partner_companies pc ON ps.company_id = pc.id
+             LEFT JOIN sso_users su ON ps.registered_by = su.user_id
+             WHERE 1=1`;
+  const params = [];
+  if (company_id) { sql += ' AND ps.company_id = ?'; params.push(company_id); }
+  if (date_from) { sql += ' AND ps.work_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND ps.work_date <= ?'; params.push(date_to); }
+  if (status) { sql += ' AND ps.status = ?'; params.push(status); }
+  sql += ' ORDER BY ps.work_date DESC, ps.created_at DESC';
+  const offset = (page - 1) * limit;
+  sql += ' LIMIT ? OFFSET ?';
+  params.push(limit, offset);
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT ps.*, pc.company_name, su.name AS registered_by_name
+     FROM partner_schedules ps
+     LEFT JOIN partner_companies pc ON ps.company_id = pc.id
+     LEFT JOIN sso_users su ON ps.registered_by = su.user_id
+     WHERE ps.id = ?`, [id]);
+  return rows[0] || null;
+}
+
+async function findByCompanyToday(companyId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT ps.*, pc.company_name
+     FROM partner_schedules ps
+     LEFT JOIN partner_companies pc ON ps.company_id = pc.id
+     WHERE ps.company_id = ? AND ps.work_date = CURDATE()
+     ORDER BY ps.created_at DESC`, [companyId]);
+  return rows;
+}
+
+async function create(data) {
+  const db = getPool();
+  const [result] = await db.query(
+    `INSERT INTO partner_schedules (company_id, work_date, work_description, workplace_name, expected_workers, registered_by, notes)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    [data.company_id, data.work_date, data.work_description || null,
+     data.workplace_name || null, data.expected_workers || null,
+     data.registered_by, data.notes || null]);
+  return findById(result.insertId);
+}
+
+async function update(id, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.company_id !== undefined) { fields.push('company_id = ?'); values.push(data.company_id); }
+  if (data.work_date !== undefined) { fields.push('work_date = ?'); values.push(data.work_date); }
+  if (data.work_description !== undefined) { fields.push('work_description = ?'); values.push(data.work_description || null); }
+  if (data.workplace_name !== undefined) { fields.push('workplace_name = ?'); values.push(data.workplace_name || null); }
+  if (data.expected_workers !== undefined) { fields.push('expected_workers = ?'); values.push(data.expected_workers || null); }
+  if (data.notes !== undefined) { fields.push('notes = ?'); values.push(data.notes || null); }
+  if (data.status !== undefined) { fields.push('status = ?'); values.push(data.status); }
+  if (fields.length === 0) return findById(id);
+  values.push(id);
+  await db.query(`UPDATE partner_schedules SET ${fields.join(', ')} WHERE id = ?`, values);
+  return findById(id);
+}
+
+async function updateStatus(id, status) {
+  const db = getPool();
+  await db.query('UPDATE partner_schedules SET status = ? WHERE id = ?', [status, id]);
+  return findById(id);
+}
+
+async function deleteSchedule(id) {
+  const db = getPool();
+  await db.query('DELETE FROM partner_schedules WHERE id = ?', [id]);
+}
+
+module.exports = { findAll, findById, findByCompanyToday, create, update, updateStatus, deleteSchedule };

tkpurchase/api/models/workReportModel.js

@@ -0,0 +1,87 @@
+const { getPool } = require('./partnerModel');
+
+async function findAll({ company_id, date_from, date_to, schedule_id, confirmed, page = 1, limit = 50 } = {}) {
+  const db = getPool();
+  let sql = `SELECT wr.*, pc.company_name, ps.work_description AS schedule_description,
+                    su_reporter.name AS reporter_name, su_confirmer.name AS confirmed_by_name
+             FROM partner_work_reports wr
+             LEFT JOIN partner_companies pc ON wr.company_id = pc.id
+             LEFT JOIN partner_schedules ps ON wr.schedule_id = ps.id
+             LEFT JOIN sso_users su_reporter ON wr.reporter_id = su_reporter.user_id
+             LEFT JOIN sso_users su_confirmer ON wr.confirmed_by = su_confirmer.user_id
+             WHERE 1=1`;
+  const params = [];
+  if (company_id) { sql += ' AND wr.company_id = ?'; params.push(company_id); }
+  if (date_from) { sql += ' AND wr.report_date >= ?'; params.push(date_from); }
+  if (date_to) { sql += ' AND wr.report_date <= ?'; params.push(date_to); }
+  if (schedule_id) { sql += ' AND wr.schedule_id = ?'; params.push(schedule_id); }
+  if (confirmed === 'true' || confirmed === '1') { sql += ' AND wr.confirmed_by IS NOT NULL'; }
+  if (confirmed === 'false' || confirmed === '0') { sql += ' AND wr.confirmed_by IS NULL'; }
+  sql += ' ORDER BY wr.report_date DESC, wr.created_at DESC';
+  const offset = (page - 1) * limit;
+  sql += ' LIMIT ? OFFSET ?';
+  params.push(limit, offset);
+  const [rows] = await db.query(sql, params);
+  return rows;
+}
+
+async function findById(id) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT wr.*, pc.company_name, ps.work_description AS schedule_description,
+            su_reporter.name AS reporter_name, su_confirmer.name AS confirmed_by_name
+     FROM partner_work_reports wr
+     LEFT JOIN partner_companies pc ON wr.company_id = pc.id
+     LEFT JOIN partner_schedules ps ON wr.schedule_id = ps.id
+     LEFT JOIN sso_users su_reporter ON wr.reporter_id = su_reporter.user_id
+     LEFT JOIN sso_users su_confirmer ON wr.confirmed_by = su_confirmer.user_id
+     WHERE wr.id = ?`, [id]);
+  return rows[0] || null;
+}
+
+async function findByCheckin(checkinId) {
+  const db = getPool();
+  const [rows] = await db.query(
+    `SELECT wr.*, pc.company_name
+     FROM partner_work_reports wr
+     LEFT JOIN partner_companies pc ON wr.company_id = pc.id
+     WHERE wr.checkin_id = ?`, [checkinId]);
+  return rows[0] || null;
+}
+
+async function create(data) {
+  const db = getPool();
+  const [result] = await db.query(
+    `INSERT INTO partner_work_reports (schedule_id, checkin_id, company_id, report_date, reporter_id, actual_workers, work_content, progress_rate, issues, next_plan)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    [data.schedule_id || null, data.checkin_id || null, data.company_id,
+     data.report_date, data.reporter_id, data.actual_workers || null,
+     data.work_content || null, data.progress_rate || null,
+     data.issues || null, data.next_plan || null]);
+  return findById(result.insertId);
+}
+
+async function update(id, data) {
+  const db = getPool();
+  const fields = [];
+  const values = [];
+  if (data.actual_workers !== undefined) { fields.push('actual_workers = ?'); values.push(data.actual_workers || null); }
+  if (data.work_content !== undefined) { fields.push('work_content = ?'); values.push(data.work_content || null); }
+  if (data.progress_rate !== undefined) { fields.push('progress_rate = ?'); values.push(data.progress_rate || null); }
+  if (data.issues !== undefined) { fields.push('issues = ?'); values.push(data.issues || null); }
+  if (data.next_plan !== undefined) { fields.push('next_plan = ?'); values.push(data.next_plan || null); }
+  if (fields.length === 0) return findById(id);
+  values.push(id);
+  await db.query(`UPDATE partner_work_reports SET ${fields.join(', ')} WHERE id = ?`, values);
+  return findById(id);
+}
+
+async function confirm(id, confirmedBy) {
+  const db = getPool();
+  await db.query(
+    'UPDATE partner_work_reports SET confirmed_by = ?, confirmed_at = NOW() WHERE id = ? AND confirmed_by IS NULL',
+    [confirmedBy, id]);
+  return findById(id);
+}
+
+module.exports = { findAll, findById, findByCheckin, create, update, confirm };