feat(i7): async webhook delivery queue, OPS RBAC, UI role routing; docs and runbook

- Architect: I7_DESIGN.md, I7_IMPLEMENTATION_REVIEW.md; parallel index + track B
- Backend: @EnableMethodSecurity; OPS login; CallbackInbox PreAuthorize; IntegrationCatalog triple role
- Webhook: V2 webhook_platform_delivery; planner + scheduler + single-shot forwarder; tests
- Frontend: Pinia hasAnyRole; MainLayout/HomeView/router for OPS vs dev
- Runbook §10.5 delivery config

Made-with: Cursor

services/delivery-platform-api/src/main/java/cn/craftlabs/platform/api/PlatformApplication.java

@@ -4,8 +4,10 @@ import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 
 @SpringBootApplication(exclude = UserDetailsServiceAutoConfiguration.class)
+@EnableMethodSecurity
 @MapperScan("cn.craftlabs.platform.api.persistence")
 public class PlatformApplication {
 

services/delivery-platform-api/src/main/java/cn/craftlabs/platform/api/auth/AuthController.java

@@ -1,6 +1,7 @@
 package cn.craftlabs.platform.api.auth;
 
 import cn.craftlabs.platform.api.security.JwtService;
+import cn.craftlabs.platform.api.security.PlatformRoles;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,29 +31,42 @@ public class AuthController {
         String pass = body.getOrDefault("password", "");
         if ("admin".equals(user) && "admin".equals(pass)) {
             String token =
-                    jwtService.createToken(user, "管理员", List.of("SYS_ADMIN"));
+                    jwtService.createToken(user, "管理员", List.of(PlatformRoles.SYS_ADMIN));
             return Map.of(
                     "token",
                     token,
                     "tokenType",
                     "Bearer",
                     "roles",
-                    List.of("SYS_ADMIN"),
+                    List.of(PlatformRoles.SYS_ADMIN),
                     "displayName",
                     "管理员");
         }
         if ("dev".equals(user) && "dev".equals(pass)) {
-            String token = jwtService.createToken(user, "开发账号", List.of("DEVELOPER"));
+            String token =
+                    jwtService.createToken(user, "开发账号", List.of(PlatformRoles.DEVELOPER));
             return Map.of(
                     "token",
                     token,
                     "tokenType",
                     "Bearer",
                     "roles",
-                    List.of("DEVELOPER"),
+                    List.of(PlatformRoles.DEVELOPER),
                     "displayName",
                     "开发账号");
         }
+        if ("ops".equals(user) && "ops".equals(pass)) {
+            String token = jwtService.createToken(user, "运营账号", List.of(PlatformRoles.OPS));
+            return Map.of(
+                    "token",
+                    token,
+                    "tokenType",
+                    "Bearer",
+                    "roles",
+                    List.of(PlatformRoles.OPS),
+                    "displayName",
+                    "运营账号");
+        }
         throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "invalid credentials");
     }
 }

services/delivery-platform-api/src/main/java/cn/craftlabs/platform/api/callback/CallbackInboxController.java

@@ -15,6 +15,7 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.time.OffsetDateTime;
@@ -22,6 +23,7 @@ import java.time.OffsetDateTime;
 @RestController
 @RequestMapping("/api/v1/callback-inbox")
 @Validated
+@PreAuthorize("hasAnyRole('OPS','SYS_ADMIN')")
 public class CallbackInboxController {
 
     private final CallbackInboxService callbackInboxService;

services/delivery-platform-api/src/main/java/cn/craftlabs/platform/api/integration/IntegrationCatalogController.java

@@ -11,11 +11,13 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/api/v1/integration")
 @Validated
+@PreAuthorize("hasAnyRole('OPS','SYS_ADMIN','DEVELOPER')")
 public class IntegrationCatalogController {
 
     private final IntegrationCatalogService integrationCatalogService;

services/delivery-platform-api/src/main/java/cn/craftlabs/platform/api/security/PlatformRoles.java

@@ -0,0 +1,14 @@
+package cn.craftlabs.platform.api.security;
+
+/**
+ * I7：JWT {@code roles} 声明值（过滤器会加上 {@code ROLE_} 前缀）。
+ */
+public final class PlatformRoles {
+
+    public static final String SYS_ADMIN = "SYS_ADMIN";
+    public static final String DEVELOPER = "DEVELOPER";
+    /** 运营：Callback Inbox 等（不包含合同/交付等业务写接口的默认放宽）。 */
+    public static final String OPS = "OPS";
+
+    private PlatformRoles() {}
+}