feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/permissions.yml

@@ -1,5 +1,6 @@
 ---
 - name: Check CIS permission targets
+  when: cis_effective_rules.file_permissions | default(false)
   ansible.builtin.stat:
     path: "{{ item.path }}"
   loop: "{{ cis_permission_targets }}"
@@ -9,12 +10,14 @@
   changed_when: false
 
 - name: Set permissions for existing targets
+  when:
+    - cis_effective_rules.file_permissions | default(false)
+    - item.stat.exists
   ansible.builtin.file:
     path: "{{ item.item.path }}"
     owner: "{{ item.item.owner | default(omit) }}"
     group: "{{ item.item.group | default(omit) }}"
     mode: "{{ item.item.mode }}"
-  loop: "{{ cis_permission_stats.results }}"
+  loop: "{{ cis_permission_stats.results | default([]) }}"
   loop_control:
     label: "{{ item.item.path }}"
-  when: item.stat.exists