fix(n+1): 批量查询替代循环单查

- IsAdminBootstrapRequired: userRepo.GetByID 循环 → GetByIDs 批量
- AssignRoles: roleRepo.GetByID 循环 → GetByIDs 批量
- 在 userRepositoryInterface 补充 GetByIDs 方法签名

docs/superpowers/plans/2026-04-24-profile-page-local-closure.md

@@ -0,0 +1,55 @@
+# Profile Page Local Closure Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Add a real browser scenario for `/profile`, keep the supported E2E gate green, and add the smallest regression coverage needed if the new scenario exposes a product defect.
+
+**Architecture:** Extend the existing Playwright CDP runner with one dedicated `profile-management` scenario built on the same admin-create-user flow already used by other auth scenarios. Keep product changes minimal and only if the scenario proves a real bug in profile page load, update, or navigation behavior.
+
+**Tech Stack:** Playwright CDP runner, React admin frontend, Vitest, existing Go backend APIs.
+
+---
+
+### Task 1: Add the red browser scenario
+
+**Files:**
+- Modify: `frontend/admin/scripts/run-playwright-cdp-e2e.mjs`
+
+- [ ] Add a new scenario entry named `profile-management` to the supported scenario list.
+- [ ] Implement the scenario with real admin login, real user creation, real user login, `/profile` page verification, one real profile update, and the `/profile` to `/profile/security` navigation proof.
+- [ ] Run `cd frontend/admin && $env:E2E_SCENARIOS='profile-management'; npm.cmd run e2e:full:win`.
+- [ ] Confirm the first failure is a real product or runner reason before changing product code.
+
+### Task 2: Fix the exposed issue with TDD if needed
+
+**Files:**
+- Modify only the minimal affected product files exposed by Task 1
+- Test: affected profile page or service Vitest files only
+
+- [ ] Add the smallest failing regression test for the exposed issue.
+- [ ] Run that regression test and verify it fails for the expected reason.
+- [ ] Implement the minimal fix.
+- [ ] Re-run the targeted regression test until it passes.
+
+### Task 3: Re-verify the profile browser scenario
+
+**Files:**
+- Modify: `frontend/admin/scripts/run-playwright-cdp-e2e.mjs`
+
+- [ ] Re-run `cd frontend/admin && $env:E2E_SCENARIOS='profile-management'; npm.cmd run e2e:full:win`.
+- [ ] Confirm the targeted profile scenario passes without weakening assertions.
+- [ ] If the scenario changed the product contract, re-run the directly affected Vitest files.
+
+### Task 4: Re-run the supported frontend gate and sync docs
+
+**Files:**
+- Modify: `docs/status/REAL_PROJECT_STATUS.md`
+- Modify: `docs/team/PRODUCTION_CHECKLIST.md`
+- Modify: `docs/team/TECHNICAL_GUIDE.md`
+- Modify: `docs/team/PROJECT_EXPERIENCE_SUMMARY.md`
+- Modify: `docs/team/QUALITY_STANDARD.md`
+
+- [ ] Run `cd frontend/admin && npm.cmd run lint`.
+- [ ] Run `cd frontend/admin && npm.cmd run build`.
+- [ ] Run `cd frontend/admin && npm.cmd run e2e:full:win`.
+- [ ] Update docs only with the results actually observed on this branch state.

docs/superpowers/specs/2026-04-24-profile-page-local-closure-design.md

@@ -0,0 +1,48 @@
+# Profile Page Local Closure Design
+
+**Date:** 2026-04-24
+
+**Goal:** Extend the supported browser-level acceptance path so `/profile` itself is covered by a real user-facing browser scenario, not only `/profile/security`.
+
+## Scope
+
+- Add one new supported browser scenario: `profile-management`.
+- Cover real user login, `/profile` load, visible account data verification, basic profile update, and the in-page navigation path from `/profile` to `/profile/security`.
+- Reuse the existing Playwright CDP runner and current admin-created test-user flow.
+- Keep assertions aligned with current page semantics: route, heading, stable placeholders, submit button, and visible account info.
+
+## Non-Goals
+
+- No third-party OAuth live verification.
+- No new product features for profile editing.
+- No attempt to prove OS-level automation.
+
+## Approach
+
+- Treat `/profile` as a separate supported browser scenario instead of folding it into `profile-and-security`.
+- Use the existing admin login plus real user creation path to avoid depending on pre-seeded normal-user fixtures.
+- If the scenario exposes a product defect, add the smallest affected regression test first and then fix the product behavior.
+
+## Required Browser Flow
+
+1. Log in as a real admin through the supported login surface.
+2. Open `/users` and create a normal user with a known password.
+3. Reset the browser session to the public login surface.
+4. Log in as the created user and confirm landing on `/profile`.
+5. Verify `/profile` heading and visible account data render from real API responses.
+6. Update editable profile fields through the real save action and wait for the real update API response.
+7. Verify the updated values appear in the visible page state.
+8. Follow the `/profile` to `/profile/security` navigation entry and confirm the security page loads.
+9. Reset back to login so the scenario leaves no authenticated browser state behind.
+
+## Verification
+
+- Targeted red/green loop:
+  - `cd frontend/admin && $env:E2E_SCENARIOS='profile-management'; npm.cmd run e2e:full:win`
+- If product code changes:
+  - run the directly affected Vitest files first
+  - then `cd frontend/admin && npm.cmd run lint`
+  - then `cd frontend/admin && npm.cmd run build`
+- Final acceptance:
+  - `cd frontend/admin && npm.cmd run e2e:full:win`
+