diff --git a/src/app/(app)/settings/roles/page.tsx b/src/app/(app)/settings/roles/page.tsx
index ad4aa27..4feb742 100644
--- a/src/app/(app)/settings/roles/page.tsx
+++ b/src/app/(app)/settings/roles/page.tsx
@@ -13,13 +13,19 @@ interface Role {
 
 const allPermissions = [
   { key: 'tickets:read', label: '查看工单' },
-  { key: 'tickets:write', label: '编辑工单' },
+  { key: 'tickets:create', label: '手动建单' },
+  { key: 'tickets:import', label: '导入工单' },
+  { key: 'tickets:export', label: '导出工单' },
+  { key: 'tickets:write', label: '编辑/删除工单' },
   { key: 'reports:read', label: '查看报告' },
-  { key: 'reports:write', label: '编辑报告' },
+  { key: 'reports:download', label: '下载报告' },
+  { key: 'reports:create', label: '新建报告' },
   { key: 'users:read', label: '查看用户' },
   { key: 'users:write', label: '编辑用户' },
   { key: 'roles:read', label: '查看角色' },
   { key: 'roles:write', label: '编辑角色' },
+  { key: 'api-keys:read', label: '查看 API Key' },
+  { key: 'api-keys:write', label: '编辑 API Key' },
 ]
 
 export default function RolesPage() {
diff --git a/src/lib/db-schema.ts b/src/lib/db-schema.ts
index c71b2ba..890a434 100644
--- a/src/lib/db-schema.ts
+++ b/src/lib/db-schema.ts
@@ -59,11 +59,24 @@ export function initDatabase(): void {
   }
   const roles = [
     { name: 'admin', display_name: '管理员', permissions: '["*"]' },
-    { name: 'operator', display_name: '运维人员', permissions: '["tickets:read","tickets:write","reports:read"]' },
-    { name: 'viewer', display_name: '查看者', permissions: '["tickets:read","reports:read"]' },
+    { name: 'operator', display_name: '运维人员', permissions: '["tickets:read","tickets:create","tickets:import","tickets:export","tickets:write","reports:read","reports:download","reports:create"]' },
+    { name: 'viewer', display_name: '查看者', permissions: '["tickets:read","tickets:export","reports:read","reports:download"]' },
   ]
   for (const r of roles) {
-    const ex = db.prepare('SELECT id FROM roles WHERE name = ?').get(r.name)
-    if (!ex) db.prepare('INSERT INTO roles (name, display_name, permissions) VALUES (?, ?, ?)').run(r.name, r.display_name, r.permissions)
+    const ex = db.prepare('SELECT id, permissions FROM roles WHERE name = ?').get(r.name) as { id: number; permissions: string } | undefined
+    if (!ex) {
+      db.prepare('INSERT INTO roles (name, display_name, permissions) VALUES (?, ?, ?)').run(r.name, r.display_name, r.permissions)
+    } else {
+      // 迁移：更新已有角色的权限（追加新权限，保留已有自定义）
+      const newPerms = JSON.parse(r.permissions) as string[]
+      let existingPerms: string[] = []
+      try { existingPerms = JSON.parse(ex.permissions) } catch {}
+      if (!existingPerms.includes('*')) {
+        for (const p of newPerms) {
+          if (!existingPerms.includes(p)) existingPerms.push(p)
+        }
+        db.prepare('UPDATE roles SET permissions = ? WHERE id = ?').run(JSON.stringify(existingPerms), ex.id)
+      }
+    }
   }
 }