vllm-project
diff --git a/‎.github/workflows/ci-changes.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/ci-changes.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎dashboard/README.md‎
Lines changed: 9 additions & 1 deletion b/‎dashboard/README.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎dashboard/backend/auth/middleware.go‎
Lines changed: 9 additions & 0 deletions b/‎dashboard/backend/auth/middleware.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎dashboard/backend/auth/middleware_test.go‎
Lines changed: 3 additions & 0 deletions b/‎dashboard/backend/auth/middleware_test.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎dashboard/backend/auth/schema.go‎
Lines changed: 23 additions & 19 deletions b/‎dashboard/backend/auth/schema.go‎
Lines changed: 23 additions & 19 deletions
diff --git a/‎dashboard/backend/auth/schema_test.go‎
Lines changed: 93 additions & 0 deletions b/‎dashboard/backend/auth/schema_test.go‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎dashboard/backend/handlers/canonical_transport.go‎
Lines changed: 9 additions & 0 deletions b/‎dashboard/backend/handlers/canonical_transport.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎dashboard/backend/handlers/deploy.go‎
Lines changed: 11 additions & 0 deletions b/‎dashboard/backend/handlers/deploy.go‎
Lines changed: 11 additions & 0 deletions
@@ -182,7 +182,11 @@ jobs:
             e2e_dashboard:
               - 'e2e/profiles/dashboard/**'
               - 'e2e/testcases/dashboard_*.go'
+              - 'e2e/testcases/security_policy_apply.go'
               - 'deploy/kubernetes/observability/dashboard/**'
+              - 'dashboard/backend/handlers/security_policy*.go'
+              - 'dashboard/backend/handlers/deploy.go'
+              - 'dashboard/backend/handlers/canonical_transport.go'
             e2e_dynamic_config:
               - 'e2e/profiles/dynamic-config/**'
             e2e_llm_d:
@@ -221,6 +225,7 @@ jobs:
               - 'e2e/config/authz-profile-*.yaml'
               - 'src/semantic-router/pkg/classification/authz*.go'
               - 'src/semantic-router/pkg/authz/**'
+              - 'dashboard/backend/handlers/security_policy*.go'
             e2e_streaming:
               - 'e2e/profiles/streaming/**'
               - 'deploy/kubernetes/streaming/**'
 
@@ -41,6 +41,7 @@ Pages:
 - **Topology** (`/topology`): Visual topology of request flow and model selection using React Flow
 - **Playground** (`/playground`): Built-in chat playground for testing
 - **ML Setup** (`/ml-setup`): 3-step wizard for ML model selection — benchmark, train, and generate deployment config
+- **Security Policy** (`/security`): RBAC-to-router integration — map roles/groups to models and rate-limit tiers, preview generated router config fragments
 
 Features:
 
@@ -100,6 +101,9 @@ Read-only dashboard mode:
   - `GET /api/ml-pipeline/jobs/{id}` → Get job status and output files
   - `GET /api/ml-pipeline/stream/{id}` → SSE stream for real-time job progress
   - `GET /api/ml-pipeline/download/{id}/{filename}` → Download job output files
+  - `GET /api/security/policy` → Get current security policy config
+  - `PUT /api/security/policy` → Update security policy, generate router config fragment, and auto-apply to router config
+  - `POST /api/security/policy/preview` → Preview generated fragment without saving
 - Normalizes headers for iframe embedding: strips/overrides `X-Frame-Options` and `Content-Security-Policy` frame-ancestors as needed
 - SPA routing support: serves `index.html` for all non-asset routes
 - Central point for JWT/OIDC in the future (forward or exchange tokens to upstreams)
@@ -124,6 +128,7 @@ dashboard/
 │   │   │   ├── ConfigPage.tsx      # Config viewer with API fetch
 │   │   │   ├── PlaygroundPage.tsx  # Built-in chat playground
 │   │   │   ├── MLSetupPage.tsx     # ML model selection 3-step wizard
+│   │   │   ├── SecurityPolicyPage.tsx # RBAC role-to-model & rate-limit management
 │   │   │   └── *.module.css        # Scoped styles per page
 │   │   ├── hooks/
 │   │   │   └── useMLPipeline.ts    # ML pipeline state management & API hooks
@@ -138,6 +143,7 @@ dashboard/
 ├── backend/                         # Go reverse proxy server
 │   ├── main.go                     # Proxy routes & static file server
 │   ├── handlers/mlpipeline.go      # ML pipeline HTTP handlers & SSE streaming
+│   ├── handlers/security_policy.go # Security policy API & config fragment generation
 │   ├── mlpipeline/runner.go        # ML job orchestration (benchmark, train, config gen)
 │   ├── go.mod                      # Go module (minimal dependencies)
 │   └── Dockerfile                  # Multi-stage build (Node + Go + Alpine)
@@ -215,7 +221,9 @@ Recommended upstream settings for embedding:
 - Dashboard auth uses JWTs from `Authorization: Bearer <token>` for protected `/api/*` and `/embedded/*` requests.
 - Protected embedded entry URLs may also carry `authToken=<token>`, and the frontend mirrors the active token into a same-origin `vsr_session` cookie so Grafana/Jaeger iframe redirects and in-frame `/api/*` calls stay authenticated.
 - Frame embedding: backend strips/overrides `X-Frame-Options` and `Content-Security-Policy` headers from upstreams to permit `frame-ancestors 'self'` only.
-- Future: OIDC login on dashboard, stronger session-cookie handling, per-route RBAC, and signed proxy sessions to embedded services.
+- **Security Policy page** (`/security`, accessible via Manager dropdown): allows admins to define role-to-model RBAC mappings and per-role rate-limit tiers. On save, the dashboard translates these into canonical router config (`routing.signals.role_bindings`, `routing.decisions`, and `global.services.ratelimit`), merges them into the running `config.yaml`, and triggers a hot-reload so the router enforces the new policy immediately. Requires the `security.manage` permission for writes; `config.read` is sufficient for viewing. See [docs/security-hardening.md](../docs/security-hardening.md) for full details.
+- **Dashboard RBAC permissions**: `feedback.submit`, `replay.read`, and `security.manage` extend the built-in role/permission matrix. Only admin-role users receive `security.manage` by default.
+- Future: OIDC login on dashboard, stronger session-cookie handling, and signed proxy sessions to embedded services.
 
 Write access warning for config updates:
 
 
@@ -188,11 +188,20 @@ func featurePermission(method, path string) (string, bool) {
 		return openclawPermission(method, path)
 	case strings.HasPrefix(path, "/api/ml-pipeline/"):
 		return PermMlPipeline, true
+	case strings.HasPrefix(path, "/api/security/"):
+		return securityPermission(method), true
 	default:
 		return "", false
 	}
 }
 
+func securityPermission(method string) string {
+	if method == http.MethodGet {
+		return PermConfigRead
+	}
+	return PermSecurityManage
+}
+
 func openclawPermission(method, path string) (string, bool) {
 	switch {
 	case strings.HasPrefix(path, "/embedded/openclaw/"):
 
@@ -90,6 +90,9 @@ func TestRequiredPermission(t *testing.T) {
 		{method: http.MethodPost, path: "/api/openclaw/teams", expected: PermOpenClaw},
 		{method: http.MethodPost, path: "/api/openclaw/rooms/room-1/messages", expected: PermOpenClawRead},
 		{method: http.MethodPost, path: "/api/router/v1/chat/completions", expected: PermConfigRead},
+		{method: http.MethodGet, path: "/api/security/policy", expected: PermConfigRead},
+		{method: http.MethodPut, path: "/api/security/policy", expected: PermSecurityManage},
+		{method: http.MethodPost, path: "/api/security/policy/preview", expected: PermSecurityManage},
 	}
 
 	for _, tc := range testCases {
 
@@ -20,28 +20,31 @@ const (
 )
 
 const (
-	PermUsersManage  = "users.manage"
-	PermUsersView    = "users.view"
-	PermConfigRead   = "config.read"
-	PermConfigWrite  = "config.write"
-	PermConfigDeploy = "config.deploy"
-	PermEvalRead     = "evaluation.read"
-	PermEvalWrite    = "evaluation.write"
-	PermEvalRun      = "evaluation.run"
-	PermTopologyRead = "topology.read"
-	PermLogsRead     = "logs.read"
-	PermOpenClawRead = "openclaw.read"
-	PermOpenClaw     = "openclaw.manage"
-	PermMcpRead      = "mcp.read"
-	PermMcpManage    = "mcp.manage"
-	PermToolsUse     = "tools.use"
-	PermMlPipeline   = "mlpipeline.manage"
+	PermUsersManage    = "users.manage"
+	PermUsersView      = "users.view"
+	PermConfigRead     = "config.read"
+	PermConfigWrite    = "config.write"
+	PermConfigDeploy   = "config.deploy"
+	PermEvalRead       = "evaluation.read"
+	PermEvalWrite      = "evaluation.write"
+	PermEvalRun        = "evaluation.run"
+	PermTopologyRead   = "topology.read"
+	PermLogsRead       = "logs.read"
+	PermOpenClawRead   = "openclaw.read"
+	PermOpenClaw       = "openclaw.manage"
+	PermMcpRead        = "mcp.read"
+	PermMcpManage      = "mcp.manage"
+	PermToolsUse       = "tools.use"
+	PermMlPipeline     = "mlpipeline.manage"
+	PermFeedbackSubmit = "feedback.submit"
+	PermReplayRead     = "replay.read"
+	PermSecurityManage = "security.manage"
 )
 
 var DefaultRolePermissions = map[string][]string{
-	RoleAdmin: {PermUsersManage, PermUsersView, PermConfigRead, PermConfigWrite, PermConfigDeploy, PermEvalRead, PermEvalWrite, PermEvalRun, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermOpenClaw, PermMcpRead, PermMcpManage, PermToolsUse, PermMlPipeline},
-	RoleWrite: {PermConfigRead, PermConfigWrite, PermConfigDeploy, PermEvalRead, PermEvalWrite, PermEvalRun, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermOpenClaw, PermMcpRead, PermMcpManage, PermToolsUse, PermMlPipeline},
-	RoleRead:  {PermConfigRead, PermEvalRead, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermMcpRead, PermToolsUse},
+	RoleAdmin: {PermUsersManage, PermUsersView, PermConfigRead, PermConfigWrite, PermConfigDeploy, PermEvalRead, PermEvalWrite, PermEvalRun, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermOpenClaw, PermMcpRead, PermMcpManage, PermToolsUse, PermMlPipeline, PermFeedbackSubmit, PermReplayRead, PermSecurityManage},
+	RoleWrite: {PermConfigRead, PermConfigWrite, PermConfigDeploy, PermEvalRead, PermEvalWrite, PermEvalRun, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermOpenClaw, PermMcpRead, PermMcpManage, PermToolsUse, PermMlPipeline, PermFeedbackSubmit, PermReplayRead},
+	RoleRead:  {PermConfigRead, PermEvalRead, PermTopologyRead, PermLogsRead, PermOpenClawRead, PermMcpRead, PermToolsUse, PermFeedbackSubmit, PermReplayRead},
 }
 
 var SupportedRoles = []string{RoleAdmin, RoleWrite, RoleRead}
@@ -57,6 +60,7 @@ var AllPermissions = []string{
 	PermUsersManage, PermUsersView, PermConfigRead, PermConfigWrite, PermConfigDeploy,
 	PermEvalRead, PermEvalWrite, PermEvalRun, PermTopologyRead, PermLogsRead, PermOpenClawRead,
 	PermOpenClaw, PermMcpRead, PermMcpManage, PermToolsUse, PermMlPipeline,
+	PermFeedbackSubmit, PermReplayRead, PermSecurityManage,
 }
 
 func normalizeRole(raw string) (string, error) {
 
@@ -0,0 +1,93 @@
+package auth
+
+import (
+	"testing"
+)
+
+func TestNewPermissionsExistInAllPermissions(t *testing.T) {
+	t.Parallel()
+
+	requiredPerms := []string{PermFeedbackSubmit, PermReplayRead, PermSecurityManage}
+	allSet := make(map[string]bool, len(AllPermissions))
+	for _, p := range AllPermissions {
+		allSet[p] = true
+	}
+
+	for _, perm := range requiredPerms {
+		if !allSet[perm] {
+			t.Fatalf("permission %q missing from AllPermissions", perm)
+		}
+	}
+}
+
+func TestAdminRoleHasSecurityManage(t *testing.T) {
+	t.Parallel()
+
+	adminPerms := DefaultRolePermissions[RoleAdmin]
+	found := false
+	for _, p := range adminPerms {
+		if p == PermSecurityManage {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("admin role should have %q permission", PermSecurityManage)
+	}
+}
+
+func TestWriteRoleDoesNotHaveSecurityManage(t *testing.T) {
+	t.Parallel()
+
+	writePerms := DefaultRolePermissions[RoleWrite]
+	for _, p := range writePerms {
+		if p == PermSecurityManage {
+			t.Fatalf("write role should not have %q permission", PermSecurityManage)
+		}
+	}
+}
+
+func TestReadRoleDoesNotHaveSecurityManage(t *testing.T) {
+	t.Parallel()
+
+	readPerms := DefaultRolePermissions[RoleRead]
+	for _, p := range readPerms {
+		if p == PermSecurityManage {
+			t.Fatalf("read role should not have %q permission", PermSecurityManage)
+		}
+	}
+}
+
+func TestAllRolesHaveFeedbackSubmitAndReplayRead(t *testing.T) {
+	t.Parallel()
+
+	for _, role := range SupportedRoles {
+		perms := DefaultRolePermissions[role]
+		hasFeedback := false
+		hasReplay := false
+		for _, p := range perms {
+			if p == PermFeedbackSubmit {
+				hasFeedback = true
+			}
+			if p == PermReplayRead {
+				hasReplay = true
+			}
+		}
+		if !hasFeedback {
+			t.Fatalf("role %q should have %q permission", role, PermFeedbackSubmit)
+		}
+		if !hasReplay {
+			t.Fatalf("role %q should have %q permission", role, PermReplayRead)
+		}
+	}
+}
+
+func TestDefaultRolePermissionsCoversAllSupportedRoles(t *testing.T) {
+	t.Parallel()
+
+	for _, role := range SupportedRoles {
+		if _, ok := DefaultRolePermissions[role]; !ok {
+			t.Fatalf("role %q missing from DefaultRolePermissions", role)
+		}
+	}
+}
@@ -14,8 +14,17 @@ import (
 	routerconfig "github.com/vllm-project/semantic-router/src/semantic-router/pkg/config"
 )
 
+type globalServicesFragment struct {
+	RateLimit *routerconfig.RateLimitConfig `yaml:"ratelimit,omitempty"`
+}
+
+type globalFragment struct {
+	Services *globalServicesFragment `yaml:"services,omitempty"`
+}
+
 type routingFragmentDocument struct {
 	Routing routerconfig.CanonicalRouting `yaml:"routing"`
+	Global  *globalFragment               `yaml:"global,omitempty"`
 }
 
 type setupModeConfig struct {
 
@@ -302,6 +302,7 @@ func mergeDeployPayload(currentData []byte, req DeployRequest) ([]byte, error) {
 	}
 
 	baseConfig.Routing = mergeCanonicalRouting(baseConfig.Routing, fragmentConfig.Routing)
+	mergeFragmentGlobal(&baseConfig, fragmentConfig.Global)
 	mergedYAML, err := marshalYAMLBytes(baseConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal merged config: %w", err)
@@ -365,6 +366,16 @@ func mergeCanonicalSignals(base, patch routerconfig.CanonicalSignals) routerconf
 	return merged
 }
 
+func mergeFragmentGlobal(base *routerconfig.CanonicalConfig, frag *globalFragment) {
+	if frag == nil || frag.Services == nil || frag.Services.RateLimit == nil {
+		return
+	}
+	if base.Global == nil {
+		base.Global = &routerconfig.CanonicalGlobal{}
+	}
+	base.Global.Services.RateLimit = *frag.Services.RateLimit
+}
+
 func resolveDeployBaseYAML(currentData []byte, providedBase string) ([]byte, error) {
 	if strings.TrimSpace(providedBase) == "" {
 		return currentData, nil
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ func TestRequiredPermission(t *testing.T) {`
`90`	`90`	`{method: http.MethodPost, path: "/api/openclaw/teams", expected: PermOpenClaw},`
`91`	`91`	`{method: http.MethodPost, path: "/api/openclaw/rooms/room-1/messages", expected: PermOpenClawRead},`
`92`	`92`	`{method: http.MethodPost, path: "/api/router/v1/chat/completions", expected: PermConfigRead},`
	`93`	`+ {method: http.MethodGet, path: "/api/security/policy", expected: PermConfigRead},`
	`94`	`+ {method: http.MethodPut, path: "/api/security/policy", expected: PermSecurityManage},`
	`95`	`+ {method: http.MethodPost, path: "/api/security/policy/preview", expected: PermSecurityManage},`
`93`	`96`	`}`
`94`	`97`
`95`	`98`	`for _, tc := range testCases {`