feat(admin): 更新后台权限管理与同步逻辑，简化权限检查并优化文档

- 新增后台 RBAC 相关文档，提供权限目录与维护命令说明。
- 移除不必要的角色资源同步检查，简化权限审计命令。
- 更新权限描述与同步逻辑，确保一致性与可维护性。
- 统一权限注册表，替换过时的权限别名，增强代码可读性。

tests/Feature/AdminApiResourcePermissionMiddlewareTest.php

@@ -77,7 +77,7 @@ test('admin api resource middleware denies protected report resource without per
 });
 
 test('admin api resource middleware allows protected report resource with mapped permission', function (): void {
-    $token = mintAdminTokenWithLegacySlugs('resource_reporter', ['prd.report.player']);
+    $token = mintAdminTokenWithLegacySlugs('resource_reporter', ['prd.report.view']);
 
     $this->withHeader('Authorization', 'Bearer '.$token)
         ->getJson('/api/v1/admin/report-jobs')

tests/Feature/AdminAuthorizationAuditCommandTest.php

@@ -1,7 +1,6 @@
 <?php
 
 use Illuminate\Support\Facades\DB;
-use Database\Seeders\AdminRbacAndUserSeeder;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 
 uses(RefreshDatabase::class);
@@ -49,27 +48,3 @@ test('admin authorization sync can repair registry-backed api resources and pass
 
     expect($bindingCount)->toBeGreaterThan(0);
 });
-
-test('admin authorization audit detects role api resource drift', function (): void {
-    $this->seed(AdminRbacAndUserSeeder::class);
-
-    $resourceId = DB::table('admin_api_resources')
-        ->where('code', 'admin.audit.index')
-        ->value('id');
-
-    $roleId = DB::table('admin_roles')
-        ->where('slug', 'finance')
-        ->value('id');
-
-    expect($resourceId)->not->toBeNull();
-    expect($roleId)->not->toBeNull();
-
-    DB::table('admin_role_api_resources')
-        ->where('role_id', (int) $roleId)
-        ->where('api_resource_id', (int) $resourceId)
-        ->delete();
-
-    $this->artisan('lottery:admin-auth-audit --skip-route-coverage')
-        ->expectsOutputToContain('Missing role-resource grant')
-        ->assertExitCode(1);
-});

tests/Feature/AdminPermissionBridgeTest.php

@@ -0,0 +1,32 @@
+<?php
+
+use App\Support\AdminPermissionBridge;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+test('normalizeCanonicalLegacySlugs maps deprecated audit and report slugs', function (): void {
+    $normalized = AdminPermissionBridge::normalizeCanonicalLegacySlugs([
+        'prd.audit.finance',
+        'prd.report.player',
+        'prd.users.manage',
+    ]);
+
+    expect($normalized)->toBe([
+        'prd.audit.view',
+        'prd.report.view',
+        'prd.users.manage',
+    ]);
+});
+
+test('legacy permission slugs are derived from role menu actions only', function (): void {
+    $role = \App\Models\AdminRole::query()->create([
+        'slug' => 'derived_only',
+        'name' => 'Derived',
+    ]);
+
+    $role->syncLegacyPermissionSlugs(['prd.report.view']);
+
+    expect($role->fresh()->legacyPermissionSlugs())->toBe(['prd.report.view']);
+    expect(\Illuminate\Support\Facades\Schema::hasTable('admin_role_legacy_permissions'))->toBeFalse();
+});

tests/Feature/AdminPhase15OperationsTest.php

@@ -154,7 +154,7 @@ test('reconcile job create with items and nested items index', function (): void
 test('admin without report permission receives 403 on report-jobs', function (): void {
     $role = AdminRole::query()->create(['slug' => 'auditor_test', 'name' => 'Auditor Test']);
     $ids = DB::table('admin_menu_actions')
-        ->whereIn('permission_code', AdminPermissionBridge::menuActionCodesForLegacy('prd.audit.finance'))
+        ->whereIn('permission_code', AdminPermissionBridge::menuActionCodesForLegacy('prd.audit.view'))
         ->where('status', 1)
         ->pluck('id');
     foreach ($ids as $mid) {

tests/Feature/AdminReportAuthorizationFixTest.php

@@ -0,0 +1,75 @@
+<?php
+
+use App\Models\AdminRole;
+use App\Models\AdminUser;
+use Database\Seeders\AdminRbacAndUserSeeder;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+function makeFinanceReportAdminToken(): string
+{
+    $admin = AdminUser::query()->create([
+        'username' => 'finance_report_tester',
+        'name' => 'Tester',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+
+    $role = AdminRole::query()->where('slug', 'finance')->firstOrFail();
+    $siteId = AdminUser::defaultAdminSiteId();
+    $admin->roles()->sync([
+        (int) $role->id => [
+            'site_id' => $siteId,
+            'granted_at' => now(),
+        ],
+    ]);
+
+    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
+}
+
+test('finance role with report legacy can access report jobs after rbac seed', function (): void {
+    $this->seed(AdminRbacAndUserSeeder::class);
+
+    $finance = AdminRole::query()->where('slug', 'finance')->firstOrFail();
+    expect($finance->legacyPermissionSlugs())->toContain('prd.report.view');
+
+    $hasReportAction = DB::table('admin_role_menu_actions as rma')
+        ->join('admin_menu_actions as ma', 'ma.id', '=', 'rma.menu_action_id')
+        ->where('rma.role_id', $finance->id)
+        ->where('ma.permission_code', 'service.report.view')
+        ->exists();
+
+    expect($hasReportAction)->toBeTrue();
+
+    $token = makeFinanceReportAdminToken();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/report-jobs')
+        ->assertOk();
+});
+
+test('report api resources only bind service.report.view', function (): void {
+    $this->seed(AdminRbacAndUserSeeder::class);
+
+    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
+
+    $codes = [
+        'admin.reports.daily-profit',
+        'admin.report-jobs.index',
+    ];
+
+    foreach ($codes as $code) {
+        $bindings = DB::table('admin_api_resources as ar')
+            ->join('admin_api_resource_bindings as arb', 'arb.api_resource_id', '=', 'ar.id')
+            ->join('admin_menu_actions as ma', 'ma.id', '=', 'arb.menu_action_id')
+            ->where('ar.code', $code)
+            ->pluck('ma.permission_code')
+            ->all();
+
+        expect($bindings)->toBe(['service.report.view']);
+    }
+});

tests/Feature/AdminUserPermissionApiTest.php

@@ -39,7 +39,7 @@ function makeAdminWithPermissions(string $username, array $permissionSlugs): str
 }
 
 test('admin user permission apis require rbac permission', function (): void {
-    $token = makeAdminWithPermissions('rbac_viewer', ['prd.report.player']);
+    $token = makeAdminWithPermissions('rbac_viewer', ['prd.report.view']);
 
     $this->withHeader('Authorization', 'Bearer '.$token)
         ->getJson('/api/v1/admin/admin-users')
@@ -95,13 +95,13 @@ test('admin can list users and sync direct permissions', function (): void {
 
     $this->withHeader('Authorization', 'Bearer '.$token)
         ->putJson('/api/v1/admin/admin-users/'.$target->id.'/permissions', [
-            'permission_slugs' => ['prd.report.player'],
+            'permission_slugs' => ['prd.report.view'],
         ])
         ->assertOk()
         ->assertJsonPath('code', ErrorCode::Success->value)
-        ->assertJsonFragment(['prd.report.player']);
+        ->assertJsonFragment(['prd.report.view']);
 
-    expect($target->fresh()->directLegacyPermissionSlugs())->toContain('prd.report.player');
+    expect($target->fresh()->directLegacyPermissionSlugs())->toContain('prd.report.view');
 
     $list = $this->withHeader('Authorization', 'Bearer '.$token)
         ->getJson('/api/v1/admin/admin-users?keyword=target')
@@ -109,7 +109,7 @@ test('admin can list users and sync direct permissions', function (): void {
         ->json('data.items.0.effective_permissions');
 
     expect($list)->toContain('prd.draw_result.view');
-    expect($list)->toContain('prd.report.player');
+    expect($list)->toContain('prd.report.view');
 });
 
 test('admin can sync user roles for default site', function (): void {
@@ -176,8 +176,7 @@ test('permission catalog groups permissions by admin navigation order', function
         'prd.users.manage',
     ]);
     expect(array_column($groupsByKey['reports']['permissions'], 'slug'))->toContain(
-        'prd.report.player',
-        'prd.report.all',
+        'prd.report.view',
     );
     expect(array_column($groupsByKey['jackpot']['permissions'], 'slug'))->toContain(
         'prd.jackpot.manage',
@@ -207,7 +206,7 @@ test('admin can repair role permissions from the full catalog after role creatio
     expect($catalogSlugs)
         ->toContain('prd.admin_user.manage')
         ->toContain('prd.admin_role.manage')
-        ->toContain('prd.report.player')
+        ->toContain('prd.report.view')
         ->toContain('prd.wallet_reconcile.manage');
 
     $role = $this->withHeader('Authorization', 'Bearer '.$token)
@@ -220,13 +219,15 @@ test('admin can repair role permissions from the full catalog after role creatio
         ->assertJsonPath('data.permission_slugs', [])
         ->json('data');
 
-    $this->withHeader('Authorization', 'Bearer '.$token)
+    $repairResponse = $this->withHeader('Authorization', 'Bearer '.$token)
         ->putJson('/api/v1/admin/admin-roles/'.$role['id'].'/permissions', [
-            'permission_slugs' => ['prd.report.player', 'prd.wallet_reconcile.manage'],
+            'permission_slugs' => ['prd.report.view', 'prd.wallet_reconcile.manage'],
         ])
         ->assertOk()
-        ->assertJsonPath('data.slug', 'repairable_role')
-        ->assertJsonPath('data.permission_slugs', ['prd.report.player', 'prd.wallet_reconcile.manage']);
+        ->assertJsonPath('data.slug', 'repairable_role');
+
+    expect($repairResponse->json('data.permission_slugs'))
+        ->toContain('prd.report.view', 'prd.wallet_reconcile.manage');
 
     $this->withHeader('Authorization', 'Bearer '.$token)
         ->putJson('/api/v1/admin/admin-roles/'.$role['id'].'/permissions', [