## 1. Spec - [x] 1.1 Review `docs/权限按钮.md` and confirm the login response is the source of button permission codes - [x] 1.2 Add OpenSpec proposal, tasks, and `agent-asset-list` delta spec for action-button permissions - [x] 1.3 Validate the new change with strict OpenSpec validation ## 2. Implementation - [x] 2.1 Extend login response typing and session persistence for the backend-provided `buttons` array - [x] 2.2 Define explicit H5 permission-code mapping for agent asset-list IoT card and device action buttons: - `asset:card_stop_h5` - `asset:card_start_h5` - `asset:device_stop_h5` - `asset:device_start_h5` - [x] 2.3 Gate asset-list action-button rendering by the current session button permissions - [x] 2.4 Verify card and device action visibility for sessions with and without matching button permission codes