Add RBAC permission init script for harnessed_agent and harnessed_reasoning modules

- Three-tier permission model: public/read/admin
- Public: CSS files for any role
- Read: console UI, data view pages, read-only APIs for logined + admin roles
- Admin: config management, CRUD write ops, execution APIs for admin roles only
- Correct wss path handling (no /wss prefix in RBAC, nginx strips it)
- 420 total permission entries across 8 read roles and 7 admin roles

setup_harnessed_perms.sh

@@ -0,0 +1,193 @@
+#!/bin/bash
+# setup_harnessed_perms.sh
+# 为 harnessed_agent（执行层）和 harnessed_reasoning（推理层）模块配置 RBAC 角色权限
+#
+# 权限分级策略（基于业务功能分析）：
+#   1. public   — 静态资源（CSS），any 角色可用
+#   2. read     — 控制台主页、数据查看页面、只读API，logined + 管理员可用
+#   3. admin    — 配置管理、数据创建/更新/删除、执行操作，仅管理员可用
+#
+# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
+# 用法: bash setup_harnessed_perms.sh
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+cd "$SCRIPT_DIR"
+
+# 角色定义
+ADMIN_ROLES=(
+    # 通用登录角色 — read 级别使用
+    "logined"
+    # 各机构类型管理员 — admin 级别使用
+    "owner.admin"
+    "reseller.admin"
+    "provider.admin"
+    "customer.admin"
+    # Reseller 业务角色
+    "reseller.operator"
+    "reseller.accountant"
+    "reseller.maintainer"
+)
+
+COUNT=0
+set_perm() {
+    local role="$1"
+    local path="$2"
+    python set_role_perm.py "${role}" "${path}"
+    COUNT=$((COUNT + 1))
+}
+
+echo "============================================"
+echo "  harnessed 模块权限初始化"
+echo "============================================"
+
+# =============================================
+# 层级 1: PUBLIC — 静态资源（CSS文件）
+# 任何用户（含未登录）均可访问
+# =============================================
+echo ""
+echo ">>> [1/3] Public: 静态资源 (any)"
+PUBLIC_FILES=(
+    "/harnessed_agent/ios_design.css"
+    "/harnessed_reasoning/ios_design.css"
+)
+for f in "${PUBLIC_FILES[@]}"; do
+    set_perm "any" "${f}"
+done
+
+# =============================================
+# 层级 2: READ — 控制台主页 + 数据查看
+# 所有登录用户 + 管理员可用
+# =============================================
+echo ""
+echo ">>> [2/3] Read: 控制台主页 + 数据查看 (logined + 管理员)"
+
+READ_PATHS=(
+    # ---------- harnessed_agent ----------
+    # 控制台/主页（用户使用入口）
+    "/harnessed_agent/hermes_agent.ui"
+    "/harnessed_agent/agent_console.ui"
+    "/harnessed_agent/menu.ui"
+    # 数据查看页面（只读浏览）
+    "/harnessed_agent/sessions.ui"
+    "/harnessed_agent/skills.ui"
+    "/harnessed_agent/tasks.ui"
+    "/harnessed_agent/workflows.ui"
+    "/harnessed_agent/memory.ui"
+    "/harnessed_agent/tools.ui"
+    "/harnessed_agent/remote_skills.ui"
+    # API 配置查看（只读）
+    "/harnessed_agent/api/agent_config_get.dspy"
+
+    # ---------- harnessed_reasoning ----------
+    # 控制台/主页（用户使用入口）
+    "/harnessed_reasoning/hermes_reasoning.ui"
+    "/harnessed_reasoning/reasoning_console.ui"
+    "/harnessed_reasoning/menu.ui"
+    # WSS WebSocket 端点（nginx会去掉/wss前缀，应用收到的path不含/wss）
+    "/harnessed_reasoning/reasoning_console.wss"
+    # 数据查看页面
+    "/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui"
+    "/harnessed_reasoning/harnessed_reasoning_config_view.ui"
+    # API 会话列表（只读）
+    "/harnessed_reasoning/api/sessions_list.dspy"
+    "/harnessed_reasoning/api/config_get.dspy"
+    # 推理提交（核心使用功能，所有登录用户可用）
+    "/harnessed_reasoning/api/reasoning_submit.dspy"
+)
+
+READ_ROLES=("logined" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
+
+for p in "${READ_PATHS[@]}"; do
+    for role in "${READ_ROLES[@]}"; do
+        set_perm "${role}" "${p}"
+    done
+done
+
+# =============================================
+# 层级 3: ADMIN — 配置管理 + 数据操作 + 执行
+# 仅管理员角色可用
+# =============================================
+echo ""
+echo ">>> [3/3] Admin: 配置管理 + 数据操作 + 执行 (仅管理员)"
+
+ADMIN_PATHS=(
+    # ---------- harnessed_agent ----------
+    # 配置管理页面（管理员专用）
+    "/harnessed_agent/agent_config.ui"
+    "/harnessed_agent/agent_config_form.ui"
+    # 技能部署（管理员操作）
+    "/harnessed_agent/deploy_skill.ui"
+    "/harnessed_agent/execute_remote_skill.ui"
+
+    # harnessed_agent CRUD 页面（完整CRUD = 含写操作）
+    "/harnessed_agent/api/harnessed_agent_config_create.dspy"
+    "/harnessed_agent/api/harnessed_agent_config_update.dspy"
+    "/harnessed_agent/api/harnessed_agent_config_delete.dspy"
+    "/harnessed_agent/api/hermes_sessions_create.dspy"
+    "/harnessed_agent/api/hermes_sessions_update.dspy"
+    "/harnessed_agent/api/hermes_sessions_delete.dspy"
+    "/harnessed_agent/api/hermes_skills_create.dspy"
+    "/harnessed_agent/api/hermes_skills_update.dspy"
+    "/harnessed_agent/api/hermes_skills_delete.dspy"
+    "/harnessed_agent/api/hermes_tasks_create.dspy"
+    "/harnessed_agent/api/hermes_tasks_update.dspy"
+    "/harnessed_agent/api/hermes_tasks_delete.dspy"
+    "/harnessed_agent/api/hermes_workflows_create.dspy"
+    "/harnessed_agent/api/hermes_workflows_update.dspy"
+    "/harnessed_agent/api/hermes_workflows_delete.dspy"
+    "/harnessed_agent/api/hermes_executions_create.dspy"
+    "/harnessed_agent/api/hermes_executions_update.dspy"
+    "/harnessed_agent/api/hermes_executions_delete.dspy"
+    "/harnessed_agent/api/hermes_executions_task_create.dspy"
+    "/harnessed_agent/api/hermes_executions_task_update.dspy"
+    "/harnessed_agent/api/hermes_executions_task_delete.dspy"
+    "/harnessed_agent/api/hermes_memory_create.dspy"
+    "/harnessed_agent/api/hermes_memory_update.dspy"
+    "/harnessed_agent/api/hermes_memory_delete.dspy"
+    "/harnessed_agent/api/hermes_tasks_workflow_create.dspy"
+    "/harnessed_agent/api/hermes_tasks_workflow_update.dspy"
+    "/harnessed_agent/api/hermes_tasks_workflow_delete.dspy"
+    "/harnessed_agent/api/harnessed_remote_skills_create.dspy"
+    "/harnessed_agent/api/harnessed_remote_skills_update.dspy"
+    "/harnessed_agent/api/harnessed_remote_skills_delete.dspy"
+    "/harnessed_agent/api/executions_by_workflow_create.dspy"
+    "/harnessed_agent/api/executions_by_workflow_update.dspy"
+    "/harnessed_agent/api/executions_by_workflow_delete.dspy"
+    "/harnessed_agent/api/task_dependencies_create.dspy"
+    "/harnessed_agent/api/task_dependencies_update.dspy"
+    "/harnessed_agent/api/task_dependencies_delete.dspy"
+
+    # Agent 执行操作
+    "/harnessed_agent/api/agent_execute.dspy"
+    "/harnessed_agent/api/agent_config_save.dspy"
+    "/harnessed_agent/hermes.dspy"
+
+    # ---------- harnessed_reasoning ----------
+    # 配置管理（管理员专用）
+    "/harnessed_reasoning/api/config_save.dspy"
+)
+
+ADMIN_ROLES_ONLY=("owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
+
+for p in "${ADMIN_PATHS[@]}"; do
+    for role in "${ADMIN_ROLES_ONLY[@]}"; do
+        set_perm "${role}" "${p}"
+    done
+done
+
+# =============================================
+# 完成
+# =============================================
+echo ""
+echo "============================================"
+echo "  权限配置完成，共设置 ${COUNT} 条权限"
+echo "============================================"
+echo ""
+echo "权限摘要:"
+echo "  Public (any):          ${#PUBLIC_FILES[@]} 个文件"
+echo "  Read (logined+admin):  ${#READ_PATHS[@]} 个路径 x ${#READ_ROLES[@]} 角色 = $((${#READ_PATHS[@]} * ${#READ_ROLES[@]})) 条"
+echo "  Admin (admin-only):    ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES_ONLY[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES_ONLY[@]})) 条"
+echo ""
+echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"