feat: 增强管理员功能与数据处理

- 在多个控制器中引入 agent_node_id，以支持基于代理节点的权限和数据过滤。
- 更新 AdminRole 和 AdminUser 模型，新增角色范围和代理节点相关功能，提升角色管理的灵活性。
- 在请求验证中添加 agent_node_id 字段，确保 API 接口支持代理节点的相关操作。
- 优化 LotterySettings 服务，支持批量写入设置，提升配置管理的效率。
- 更新仪表板和报告服务，增强数据统计功能，确保管理员能够获取更全面的统计信息。

tests/Feature/AdminAgentNodeApiTest.php

@@ -0,0 +1,280 @@
+<?php
+
+use App\Models\AdminUser;
+use App\Models\AgentNode;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function (): void {
+    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
+});
+
+function agentRootNodeId(int $siteId): int
+{
+    return (int) DB::table('agent_nodes')
+        ->where('admin_site_id', $siteId)
+        ->where('depth', 0)
+        ->value('id');
+}
+
+function grantAgentOperatorRole(AdminUser $admin, AgentNode $agent, bool $manage = true): void
+{
+    $now = now();
+    $roleId = DB::table('admin_roles')->insertGetId([
+        'slug' => 'agent_ops_'.$admin->id,
+        'code' => 'agent_ops_'.$admin->id,
+        'name' => 'Agent Ops',
+        'description' => null,
+        'status' => 1,
+        'is_system' => false,
+        'sort_order' => 0,
+        'created_at' => $now,
+        'updated_at' => $now,
+    ]);
+
+    $codes = $manage
+        ? ['agent.node.view', 'agent.node.manage']
+        : ['agent.node.view'];
+
+    $actionIds = DB::table('admin_menu_actions')
+        ->whereIn('permission_code', $codes)
+        ->pluck('id');
+
+    foreach ($actionIds as $actionId) {
+        DB::table('admin_role_menu_actions')->insert([
+            'role_id' => $roleId,
+            'menu_action_id' => (int) $actionId,
+        ]);
+    }
+
+    DB::table('admin_user_site_roles')->insert([
+        'admin_user_id' => $admin->id,
+        'site_id' => (int) $agent->admin_site_id,
+        'role_id' => $roleId,
+        'granted_at' => $now,
+    ]);
+
+    DB::table('admin_user_agents')->insert([
+        'admin_user_id' => $admin->id,
+        'agent_node_id' => (int) $agent->id,
+        'is_primary' => true,
+        'granted_at' => $now,
+    ]);
+}
+
+test('each admin site has exactly one root agent node after migration', function (): void {
+    $siteIds = DB::table('admin_sites')->pluck('id');
+    foreach ($siteIds as $siteId) {
+        expect(
+            DB::table('agent_nodes')->where('admin_site_id', (int) $siteId)->where('depth', 0)->count()
+        )->toBe(1);
+    }
+});
+
+test('super admin can load full agent tree', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $admin = AdminUser::query()->create([
+        'username' => 'agent_super',
+        'name' => 'Super',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($admin);
+    $token = $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/agent-nodes/tree?admin_site_id='.$siteId)
+        ->assertOk()
+        ->assertJsonPath('code', 0)
+        ->assertJsonStructure(['data' => ['admin_site_id', 'tree']]);
+});
+
+test('agent operator only sees own subtree', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $rootId = agentRootNodeId($siteId);
+
+    $service = app(\App\Services\Agent\AgentNodeService::class);
+    $super = AdminUser::query()->create([
+        'username' => 'bootstrap',
+        'name' => 'Bootstrap',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($super);
+
+    $nodeA = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'branch-a',
+        'name' => 'Branch A',
+        'status' => 1,
+    ]);
+    $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'branch-b',
+        'name' => 'Branch B',
+        'status' => 1,
+    ]);
+
+    $operator = AdminUser::query()->create([
+        'username' => 'agent_a_ops',
+        'name' => 'A Ops',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantAgentOperatorRole($operator, $nodeA);
+
+    $token = $operator->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $response = $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/agent-nodes/tree');
+
+    $response->assertOk();
+    $tree = $response->json('data.tree');
+    expect($tree)->toBeArray()->and(count($tree))->toBe(1);
+    expect($tree[0]['code'])->toBe('branch-a');
+    expect(collect($tree)->pluck('code'))->not->toContain('branch-b');
+});
+
+test('agent operator can create child under own node but not under sibling', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $rootId = agentRootNodeId($siteId);
+    $service = app(\App\Services\Agent\AgentNodeService::class);
+    $super = AdminUser::query()->create([
+        'username' => 'bootstrap2',
+        'name' => 'Bootstrap',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($super);
+
+    $nodeA = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'branch-a2',
+        'name' => 'Branch A',
+    ]);
+    $nodeB = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'branch-b2',
+        'name' => 'Branch B',
+    ]);
+
+    $operator = AdminUser::query()->create([
+        'username' => 'agent_a2_ops',
+        'name' => 'A Ops',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantAgentOperatorRole($operator, $nodeA);
+    $token = $operator->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/agent-nodes', [
+            'parent_id' => $nodeA->id,
+            'code' => 'a-child',
+            'name' => 'A Child',
+        ])
+        ->assertOk()
+        ->assertJsonPath('data.code', 'a-child');
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/agent-nodes', [
+            'parent_id' => $nodeB->id,
+            'code' => 'hack-child',
+            'name' => 'Hack',
+        ])
+        ->assertForbidden();
+});
+
+test('auth me returns agent context for bound operator', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $rootId = agentRootNodeId($siteId);
+    $service = app(\App\Services\Agent\AgentNodeService::class);
+    $super = AdminUser::query()->create([
+        'username' => 'bootstrap3',
+        'name' => 'Bootstrap',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($super);
+
+    $node = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'me-branch',
+        'name' => 'Me Branch',
+    ]);
+
+    $operator = AdminUser::query()->create([
+        'username' => 'me_agent_ops',
+        'name' => 'Ops',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantAgentOperatorRole($operator, $node);
+    $token = $operator->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/auth/me')
+        ->assertOk()
+        ->assertJsonPath('data.admin.agent.code', 'me-branch')
+        ->assertJsonPath('data.admin.is_super_admin', false);
+});
+
+test('agent node deletion requires leaf node without bindings', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $rootId = agentRootNodeId($siteId);
+    $service = app(\App\Services\Agent\AgentNodeService::class);
+
+    $super = AdminUser::query()->create([
+        'username' => 'delete_agent_super',
+        'name' => 'Delete Super',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($super);
+    $token = $super->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $nodeWithChild = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'delete-parent',
+        'name' => 'Delete Parent',
+    ]);
+    $service->createChild($super, [
+        'parent_id' => $nodeWithChild->id,
+        'code' => 'delete-child',
+        'name' => 'Delete Child',
+    ]);
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->deleteJson('/api/v1/admin/agent-nodes/'.$rootId)
+        ->assertStatus(422)
+        ->assertJsonPath('msg', __('admin.agent_root_delete_denied'));
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->deleteJson('/api/v1/admin/agent-nodes/'.$nodeWithChild->id)
+        ->assertStatus(422)
+        ->assertJsonPath('msg', __('admin.agent_node_has_children_cannot_delete'));
+
+    $leaf = $service->createChild($super, [
+        'parent_id' => $rootId,
+        'code' => 'delete-leaf',
+        'name' => 'Delete Leaf',
+    ]);
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->deleteJson('/api/v1/admin/agent-nodes/'.$leaf->id)
+        ->assertOk()
+        ->assertJsonPath('code', 0);
+
+    expect(AgentNode::query()->find($leaf->id))->toBeNull();
+});