feat(auth): add account permission profiles for data API phase 1

[yeyitech]

Summary

• add account-level permission profiles with built-in coarse data read/write capabilities and custom profile persistence
• propagate effective permissions through auth/request context while preserving ROOT and ADMIN full-access semantics
• enforce phase-1 data permissions on filesystem, search, and resource mutation APIs with structured permission-denied errors

Testing

• OPENVIKING_CONFIG_FILE=/Users/bytedance/contextgo/OpenViking-acl-profiles/test_data/test-ov.conf pytest --no-cov tests/server/test_acl_phase1_unit.py tests/server/test_acl_phase1_routes.py -q
• COVERAGE_FILE=/tmp/openviking-auth-acl.coverage OPENVIKING_CONFIG_FILE=/Users/bytedance/contextgo/OpenViking-acl-profiles/test_data/test-ov.conf pytest --no-cov tests/server/test_auth.py -k "request_context_propagates_permission_profile_and_effective_permissions or root_system_status_allows_implicit_default_identity or root_tenant_scoped_requests_allow_explicit_identity or root_monitoring_requests_allow_implicit_default_identity or root_system_wait_allows_implicit_default_identity or root_monitoring_requests_keep_200_via_http or root_system_wait_keeps_200_via_http or task_endpoints_are_user_scoped" -q

Notes

• broader server/auth integration tests that instantiate OpenVikingService are currently blocked in this environment by the missing ragfs_python native binding

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Codex seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🏅 Score: 88

🧪 PR contains tests

🔒 No security concerns identified

✅ No TODO sections

🔀 Multiple PR themes Sub-PR theme: Add optional import for volcengine embedders Relevant files: openviking/models/embedder/init.py Sub-PR theme: Add account permission profiles for data API phase 1 Relevant files: openviking/server/api_keys.py openviking/server/auth.py openviking/server/identity.py openviking/server/permissions.py openviking/server/routers/admin.py openviking/server/routers/filesystem.py openviking/server/routers/resources.py openviking/server/routers/search.py openviking_cli/exceptions.py tests/server/test_acl_phase1_routes.py tests/server/test_acl_phase1_unit.py tests/server/test_admin_api.py tests/server/test_api_filesystem.py tests/server/test_api_key_manager.py tests/server/test_api_resources.py tests/server/test_api_search.py tests/server/test_auth.py

⚡ No major issues detected

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.