feat: permissions CRUD browser integration + E2E enhancements

Backend:
- permission_handler: 完善权限 CRUD 接口（列表/创建/更新/删除）
- auth_handler: 修复认证处理逻辑
- router: 新增权限管理路由
- handler_test: 新增权限 handler 测试覆盖

Frontend:
- permissions.ts/test.ts: 权限服务层完整实现
- profile/settings/service_tests: 服务适配器修正
- client.ts: HTTP 客户端健壮性增强
- vite.config.js: 构建配置优化
- E2E 脚本: run-playwright-cdp-e2e 大幅增强（权限流程覆盖）

Docs:
- REAL_PROJECT_STATUS: 状态更新
- PRODUCTION_CHECKLIST/QUALITY_STANDARD/TECHNICAL_GUIDE/PROJECT_EXPERIENCE_SUMMARY: 团队规范完善
- plans/2026-04-23: 权限浏览器 CRUD 设计方案

验证: go build 0错误

internal/api/handler/auth_handler.go

@@ -33,7 +33,8 @@ type ActivateEmailRequest struct {
 
 // AuthHandler handles authentication requests
 type AuthHandler struct {
-	authService *service.AuthService
+	authService          *service.AuthService
+	passwordResetEnabled bool
 }
 
 // NewAuthHandler creates a new AuthHandler
@@ -41,6 +42,13 @@ func NewAuthHandler(authService *service.AuthService) *AuthHandler {
 	return &AuthHandler{authService: authService}
 }
 
+func (h *AuthHandler) SetPasswordResetEnabled(enabled bool) {
+	if h == nil {
+		return
+	}
+	h.passwordResetEnabled = enabled
+}
+
 // Register 用户注册
 // @Summary 用户注册
 // @Description 用户注册新账号，支持用户名+密码或手机号注册
@@ -327,6 +335,7 @@ func (h *AuthHandler) GetCSRFToken(c *gin.Context) {
 func (h *AuthHandler) GetAuthCapabilities(c *gin.Context) {
 	ctx := c.Request.Context()
 	caps := h.authService.GetAuthCapabilities(ctx)
+	caps.PasswordReset = h.SupportsPasswordReset()
 	c.JSON(http.StatusOK, gin.H{
 		"code":    0,
 		"message": "success",
@@ -744,6 +753,10 @@ func requestUsesHTTPS(c *gin.Context) bool {
 	return strings.EqualFold(strings.TrimSpace(c.GetHeader("X-Forwarded-Proto")), "https")
 }
 
+func (h *AuthHandler) SupportsPasswordReset() bool {
+	return h != nil && h.passwordResetEnabled
+}
+
 // handleError 将 error 转换为对应的 HTTP 响应。
 // 优先识别 ApplicationError，其次通过关键词推断业务错误类型，兜底返回 500。
 func handleError(c *gin.Context, err error) {

internal/api/handler/handler_test.go

@@ -549,6 +549,14 @@ func TestAuthHandler_GetAuthCapabilities(t *testing.T) {
 	if result["code"] != float64(0) {
 		t.Errorf("expected code 0, got %v", result["code"])
 	}
+
+	data, ok := result["data"].(map[string]interface{})
+	if !ok {
+		t.Fatalf("expected capabilities data, got %s", body)
+	}
+	if data["password_reset"] != true {
+		t.Fatalf("expected password_reset=true, got %v in %s", data["password_reset"], body)
+	}
 }
 
 func TestAuthHandler_Login_WithTOTPEnabled_ReturnsChallengeToken(t *testing.T) {
@@ -1005,6 +1013,119 @@ func TestRoleHandler_GetRole_RequiresAdmin(t *testing.T) {
 	}
 }
 
+// =============================================================================
+// Permission Handler Tests
+// =============================================================================
+
+func TestPermissionHandler_CreatePermission_AcceptsMenuTypeZero(t *testing.T) {
+	server, cleanup := setupHandlerTestServer(t)
+	defer cleanup()
+
+	t.Setenv("BOOTSTRAP_SECRET", "handler-bootstrap-secret")
+	token := bootstrapAdmin(server.URL, "handler-bootstrap-secret", "permcreate", "permcreate@test.com", "AdminPass123!")
+	if token == "" {
+		t.Fatal("expected bootstrap admin token")
+	}
+
+	createResp, createBody := doPost(server.URL+"/api/v1/permissions", token, map[string]interface{}{
+		"name": "Permission Create Menu Test",
+		"code": "permission:create:menu:test",
+		"type": 0,
+		"path": "/permissions/create-menu-test",
+		"sort": 0,
+	})
+	defer createResp.Body.Close()
+
+	if createResp.StatusCode != http.StatusCreated {
+		t.Fatalf("expected create status %d, got %d, body: %s", http.StatusCreated, createResp.StatusCode, createBody)
+	}
+
+	var createResult map[string]interface{}
+	if err := json.Unmarshal([]byte(createBody), &createResult); err != nil {
+		t.Fatalf("failed to parse create response: %v", err)
+	}
+
+	data, ok := createResult["data"].(map[string]interface{})
+	if !ok {
+		t.Fatalf("expected permission data in create response, got %s", createBody)
+	}
+
+	if data["type"] != float64(0) {
+		t.Fatalf("expected menu permission type 0, got %v in %s", data["type"], createBody)
+	}
+}
+
+func TestPermissionHandler_UpdatePermissionStatus_AcceptsNumericStatusPayload(t *testing.T) {
+	server, cleanup := setupHandlerTestServer(t)
+	defer cleanup()
+
+	t.Setenv("BOOTSTRAP_SECRET", "handler-bootstrap-secret")
+	token := bootstrapAdmin(server.URL, "handler-bootstrap-secret", "permadmin", "permadmin@test.com", "AdminPass123!")
+	if token == "" {
+		t.Fatal("expected bootstrap admin token")
+	}
+
+	createResp, createBody := doPost(server.URL+"/api/v1/permissions", token, map[string]interface{}{
+		"name": "Permission Status Test",
+		"code": "permission:status:test",
+		"type": 2,
+		"path": "/permissions/status-test",
+		"sort": 0,
+	})
+	defer createResp.Body.Close()
+
+	if createResp.StatusCode != http.StatusCreated {
+		t.Fatalf("expected create status %d, got %d, body: %s", http.StatusCreated, createResp.StatusCode, createBody)
+	}
+
+	var createResult map[string]interface{}
+	if err := json.Unmarshal([]byte(createBody), &createResult); err != nil {
+		t.Fatalf("failed to parse create response: %v", err)
+	}
+
+	data, ok := createResult["data"].(map[string]interface{})
+	if !ok {
+		t.Fatalf("expected permission data in create response, got %s", createBody)
+	}
+
+	permissionID, ok := data["id"].(float64)
+	if !ok {
+		t.Fatalf("expected numeric permission id in create response, got %s", createBody)
+	}
+
+	updateResp, updateBody := doPut(
+		fmt.Sprintf("%s/api/v1/permissions/%d/status", server.URL, int(permissionID)),
+		token,
+		map[string]interface{}{"status": 0},
+	)
+	defer updateResp.Body.Close()
+
+	if updateResp.StatusCode != http.StatusOK {
+		t.Fatalf("expected update status %d, got %d, body: %s", http.StatusOK, updateResp.StatusCode, updateBody)
+	}
+
+	getResp, getBody := doGet(fmt.Sprintf("%s/api/v1/permissions/%d", server.URL, int(permissionID)), token)
+	defer getResp.Body.Close()
+
+	if getResp.StatusCode != http.StatusOK {
+		t.Fatalf("expected get status %d, got %d, body: %s", http.StatusOK, getResp.StatusCode, getBody)
+	}
+
+	var getResult map[string]interface{}
+	if err := json.Unmarshal([]byte(getBody), &getResult); err != nil {
+		t.Fatalf("failed to parse get response: %v", err)
+	}
+
+	getData, ok := getResult["data"].(map[string]interface{})
+	if !ok {
+		t.Fatalf("expected permission data in get response, got %s", getBody)
+	}
+
+	if getData["status"] != float64(0) {
+		t.Fatalf("expected permission status 0 after update, got %v in %s", getData["status"], getBody)
+	}
+}
+
 // =============================================================================
 // Theme Handler Tests
 // =============================================================================

internal/api/handler/permission_handler.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"encoding/json"
 	"net/http"
 	"strconv"
 
@@ -33,13 +34,40 @@ func NewPermissionHandler(permissionService *service.PermissionService) *Permiss
 // @Failure 403 {object} Response "无权限"
 // @Router /api/v1/permissions [post]
 func (h *PermissionHandler) CreatePermission(c *gin.Context) {
-	var req service.CreatePermissionRequest
+	var req struct {
+		Name        string `json:"name" binding:"required"`
+		Code        string `json:"code" binding:"required"`
+		Type        *int   `json:"type" binding:"required"`
+		Description string `json:"description"`
+		ParentID    *int64 `json:"parent_id"`
+		Path        string `json:"path"`
+		Method      string `json:"method"`
+		Sort        int    `json:"sort"`
+		Icon        string `json:"icon"`
+	}
 	if err := c.ShouldBindJSON(&req); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
 		return
 	}
 
-	perm, err := h.permissionService.CreatePermission(c.Request.Context(), &req)
+	if req.Type == nil || *req.Type < 0 || *req.Type > 2 {
+		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid permission type"})
+		return
+	}
+
+	serviceReq := service.CreatePermissionRequest{
+		Name:        req.Name,
+		Code:        req.Code,
+		Type:        *req.Type,
+		Description: req.Description,
+		ParentID:    req.ParentID,
+		Path:        req.Path,
+		Method:      req.Method,
+		Sort:        req.Sort,
+		Icon:        req.Icon,
+	}
+
+	perm, err := h.permissionService.CreatePermission(c.Request.Context(), &serviceReq)
 	if err != nil {
 		handleError(c, err)
 		return
@@ -201,7 +229,7 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 	}
 
 	var req struct {
-		Status string `json:"status" binding:"required"`
+		Status json.RawMessage `json:"status" binding:"required"`
 	}
 
 	if err := c.ShouldBindJSON(&req); err != nil {
@@ -209,13 +237,8 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 		return
 	}
 
-	var status domain.PermissionStatus
-	switch req.Status {
-	case "enabled", "1":
-		status = domain.PermissionStatusEnabled
-	case "disabled", "0":
-		status = domain.PermissionStatusDisabled
-	default:
+	status, ok := parsePermissionStatus(req.Status)
+	if !ok {
 		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid status"})
 		return
 	}
@@ -239,6 +262,30 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 // @Security BearerAuth
 // @Success 200 {object} Response{data=[]domain.Permission} "权限树"
 // @Router /api/v1/permissions/tree [get]
+func parsePermissionStatus(raw json.RawMessage) (domain.PermissionStatus, bool) {
+	var statusText string
+	if err := json.Unmarshal(raw, &statusText); err == nil {
+		switch statusText {
+		case "enabled", "1":
+			return domain.PermissionStatusEnabled, true
+		case "disabled", "0":
+			return domain.PermissionStatusDisabled, true
+		}
+	}
+
+	var statusNumber int
+	if err := json.Unmarshal(raw, &statusNumber); err == nil {
+		switch statusNumber {
+		case 1:
+			return domain.PermissionStatusEnabled, true
+		case 0:
+			return domain.PermissionStatusDisabled, true
+		}
+	}
+
+	return domain.PermissionStatusDisabled, false
+}
+
 func (h *PermissionHandler) GetPermissionTree(c *gin.Context) {
 	tree, err := h.permissionService.GetPermissionTree(c.Request.Context())
 	if err != nil {