diff --git a/auth/auth.go b/auth/auth.go
index 784f148..533d806 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -347,9 +347,28 @@ func (a *appAuth) initRole(roleCode string) error {
 		}
 	}
 
-	// 为通配符权限创建特殊记录
+	// 为通配符权限创建记录
 	if hasWildcard {
 		wildcardPermID := fmt.Sprintf("%s:*:*", a.scope)
+
+		// 先确保通配符 permission 存在
+		var perm models.Permission
+		err := cfg.DB().Where("id = ?", wildcardPermID).First(&perm).Error
+		if err != nil {
+			// 创建通配符 permission
+			perm = models.Permission{
+				ID:          wildcardPermID,
+				Scope:       a.scope,
+				Resource:    "*",
+				Action:      "*",
+				Description: fmt.Sprintf("%s wildcard permission", a.scope),
+			}
+			if err := cfg.DB().Create(&perm).Error; err != nil {
+				return fmt.Errorf("failed to create wildcard permission: %w", err)
+			}
+		}
+
+		// 创建 role_permission 关联
 		var count int64
 		cfg.DB().Model(&models.RolePermission{}).
 			Where("role_id = ? AND permission_id = ?", role.ID, wildcardPermID).