feat: permissions CRUD browser integration + E2E enhancements

Backend:
- permission_handler: 完善权限 CRUD 接口（列表/创建/更新/删除）
- auth_handler: 修复认证处理逻辑
- router: 新增权限管理路由
- handler_test: 新增权限 handler 测试覆盖

Frontend:
- permissions.ts/test.ts: 权限服务层完整实现
- profile/settings/service_tests: 服务适配器修正
- client.ts: HTTP 客户端健壮性增强
- vite.config.js: 构建配置优化
- E2E 脚本: run-playwright-cdp-e2e 大幅增强（权限流程覆盖）

Docs:
- REAL_PROJECT_STATUS: 状态更新
- PRODUCTION_CHECKLIST/QUALITY_STANDARD/TECHNICAL_GUIDE/PROJECT_EXPERIENCE_SUMMARY: 团队规范完善
- plans/2026-04-23: 权限浏览器 CRUD 设计方案

验证: go build 0错误

internal/api/handler/permission_handler.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"encoding/json"
 	"net/http"
 	"strconv"
 
@@ -33,13 +34,40 @@ func NewPermissionHandler(permissionService *service.PermissionService) *Permiss
 // @Failure 403 {object} Response "无权限"
 // @Router /api/v1/permissions [post]
 func (h *PermissionHandler) CreatePermission(c *gin.Context) {
-	var req service.CreatePermissionRequest
+	var req struct {
+		Name        string `json:"name" binding:"required"`
+		Code        string `json:"code" binding:"required"`
+		Type        *int   `json:"type" binding:"required"`
+		Description string `json:"description"`
+		ParentID    *int64 `json:"parent_id"`
+		Path        string `json:"path"`
+		Method      string `json:"method"`
+		Sort        int    `json:"sort"`
+		Icon        string `json:"icon"`
+	}
 	if err := c.ShouldBindJSON(&req); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
 		return
 	}
 
-	perm, err := h.permissionService.CreatePermission(c.Request.Context(), &req)
+	if req.Type == nil || *req.Type < 0 || *req.Type > 2 {
+		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid permission type"})
+		return
+	}
+
+	serviceReq := service.CreatePermissionRequest{
+		Name:        req.Name,
+		Code:        req.Code,
+		Type:        *req.Type,
+		Description: req.Description,
+		ParentID:    req.ParentID,
+		Path:        req.Path,
+		Method:      req.Method,
+		Sort:        req.Sort,
+		Icon:        req.Icon,
+	}
+
+	perm, err := h.permissionService.CreatePermission(c.Request.Context(), &serviceReq)
 	if err != nil {
 		handleError(c, err)
 		return
@@ -201,7 +229,7 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 	}
 
 	var req struct {
-		Status string `json:"status" binding:"required"`
+		Status json.RawMessage `json:"status" binding:"required"`
 	}
 
 	if err := c.ShouldBindJSON(&req); err != nil {
@@ -209,13 +237,8 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 		return
 	}
 
-	var status domain.PermissionStatus
-	switch req.Status {
-	case "enabled", "1":
-		status = domain.PermissionStatusEnabled
-	case "disabled", "0":
-		status = domain.PermissionStatusDisabled
-	default:
+	status, ok := parsePermissionStatus(req.Status)
+	if !ok {
 		c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid status"})
 		return
 	}
@@ -239,6 +262,30 @@ func (h *PermissionHandler) UpdatePermissionStatus(c *gin.Context) {
 // @Security BearerAuth
 // @Success 200 {object} Response{data=[]domain.Permission} "权限树"
 // @Router /api/v1/permissions/tree [get]
+func parsePermissionStatus(raw json.RawMessage) (domain.PermissionStatus, bool) {
+	var statusText string
+	if err := json.Unmarshal(raw, &statusText); err == nil {
+		switch statusText {
+		case "enabled", "1":
+			return domain.PermissionStatusEnabled, true
+		case "disabled", "0":
+			return domain.PermissionStatusDisabled, true
+		}
+	}
+
+	var statusNumber int
+	if err := json.Unmarshal(raw, &statusNumber); err == nil {
+		switch statusNumber {
+		case 1:
+			return domain.PermissionStatusEnabled, true
+		case 0:
+			return domain.PermissionStatusDisabled, true
+		}
+	}
+
+	return domain.PermissionStatusDisabled, false
+}
+
 func (h *PermissionHandler) GetPermissionTree(c *gin.Context) {
 	tree, err := h.permissionService.GetPermissionTree(c.Request.Context())
 	if err != nil {