feat: add role/permission system with tests support

- Add Role model with 17 default permissions
- Add init_wizard to create admin/guest roles on first startup
- Protect admin role from modification/deletion via API
- Fix MilestoneCreate schema (project_id optional)
- Fix delete role to clean up role_permissions first
- Add check_project_role RBAC function

app/init_wizard.py

@@ -10,6 +10,7 @@ import logging
 from sqlalchemy.orm import Session
 
 from app.models import models
+from app.models.role_permission import Role, Permission, RolePermission
 from app.api.deps import get_password_hash
 
 logger = logging.getLogger("harborforge.init")
@@ -92,6 +93,109 @@ def init_default_project(db: Session, project_cfg: dict, owner_id: int, owner_na
     logger.info("Created default project '%s' (id=%d)", name, project.id)
 
 
+# Default permissions that will be created if not exist
+DEFAULT_PERMISSIONS = [
+    # Project permissions
+    ("project.read", "View project", "project"),
+    ("project.write", "Edit project", "project"),
+    ("project.delete", "Delete project", "project"),
+    ("project.manage_members", "Manage project members", "project"),
+    # Issue/Milestone permissions
+    ("issue.create", "Create issues", "issue"),
+    ("issue.read", "View issues", "issue"),
+    ("issue.write", "Edit issues", "issue"),
+    ("issue.delete", "Delete issues", "issue"),
+    ("milestone.create", "Create milestones", "milestone"),
+    ("milestone.read", "View milestones", "milestone"),
+    ("milestone.write", "Edit milestones", "milestone"),
+    ("milestone.delete", "Delete milestones", "milestone"),
+    # Role/Permission management
+    ("role.manage", "Manage roles and permissions", "admin"),
+    # User management
+    ("user.manage", "Manage users", "admin"),
+    # Monitor
+    ("monitor.read", "View monitor", "monitor"),
+    ("monitor.manage", "Manage monitor", "monitor"),
+    # Webhook
+    ("webhook.manage", "Manage webhooks", "admin"),
+]
+
+
+def init_default_permissions(db: Session) -> list[Permission]:
+    """Create default permissions if they don't exist. Returns all permissions."""
+    created = []
+    for name, description, category in DEFAULT_PERMISSIONS:
+        existing = db.query(Permission).filter(Permission.name == name).first()
+        if not existing:
+            perm = Permission(name=name, description=description, category=category)
+            db.add(perm)
+            created.append(perm)
+            logger.info("Created permission '%s'", name)
+    
+    if created:
+        db.commit()
+    
+    # Return all permissions
+    return db.query(Permission).all()
+
+
+def init_admin_role(db: Session, admin_user: models.User) -> None:
+    """Create admin role with all permissions and guest role with minimal permissions."""
+    # Check if admin role already exists
+    admin_role = db.query(Role).filter(Role.name == "admin").first()
+    if not admin_role:
+        admin_role = Role(
+            name="admin",
+            description="Administrator - full access to all features",
+            is_global=True
+        )
+        db.add(admin_role)
+        db.commit()
+        db.refresh(admin_role)
+        logger.info("Created admin role (id=%d)", admin_role.id)
+    
+    # Check if guest role already exists
+    guest_role = db.query(Role).filter(Role.name == "guest").first()
+    if not guest_role:
+        guest_role = Role(
+            name="guest",
+            description="Guest - read-only access",
+            is_global=True
+        )
+        db.add(guest_role)
+        db.commit()
+        db.refresh(guest_role)
+        logger.info("Created guest role (id=%d)", guest_role.id)
+    
+    # Get all permissions
+    all_perms = db.query(Permission).all()
+    
+    # Assign all permissions to admin role
+    existing_admin_perm_ids = {rp.permission_id for rp in admin_role.permissions}
+    for perm in all_perms:
+        if perm.id not in existing_admin_perm_ids:
+            rp = RolePermission(role_id=admin_role.id, permission_id=perm.id)
+            db.add(rp)
+    
+    if all_perms:
+        db.commit()
+        logger.info("Assigned %d permissions to admin role", len(all_perms))
+    
+    # Assign only read permissions to guest role
+    read_perms = db.query(Permission).filter(Permission.name.like("%.read")).all()
+    existing_guest_perm_ids = {rp.permission_id for rp in guest_role.permissions}
+    for perm in read_perms:
+        if perm.id not in existing_guest_perm_ids:
+            rp = RolePermission(role_id=guest_role.id, permission_id=perm.id)
+            db.add(rp)
+    
+    if read_perms:
+        db.commit()
+        logger.info("Assigned %d read permissions to guest role", len(read_perms))
+    
+    logger.info("Admin and guest roles setup complete")
+
+
 def run_init(db: Session) -> None:
     """Main initialization entry point. Reads config from shared volume."""
     config = load_config()
@@ -100,11 +204,18 @@ def run_init(db: Session) -> None:
 
     logger.info("Running HarborForge initialization from wizard config")
 
+    # Initialize default permissions and admin role (always run)
+    all_perms = init_default_permissions(db)
+    logger.info("Default permissions initialized: %d total", len(all_perms))
+
     # Admin user
     admin_cfg = config.get("admin")
     admin_user = None
     if admin_cfg:
         admin_user = init_admin_user(db, admin_cfg)
+        # Create admin role and assign to admin user
+        if admin_user:
+            init_admin_role(db, admin_user)
 
     # Default project
     project_cfg = config.get("default_project")