refactor: 更新权限管理与请求验证逻辑

- 在多个控制器中将权限检查从 hasAdminPermission 更新为 hasPermissionCode，以增强权限管理的灵活性。
- 引入 AdminScopePolicy，优化基于代理节点的权限和数据过滤逻辑，确保管理员能够更精确地控制访问权限。
- 在请求验证中添加 agent_node_id 字段，确保 API 接口支持代理节点的相关操作。
- 更新 AdminUser 模型，新增 hasPermissionCode 方法，以支持更细粒度的权限检查。
- 优化审计日志记录逻辑，确保在处理请求时能够准确记录管理员的操作。

tests/Feature/AdminSettingBatchUpdateTest.php

@@ -35,6 +35,32 @@ function settingsAdminToken(): string
     return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
 }
 
+function settingsReadOnlyToken(): string
+{
+    $admin = AdminUser::query()->create([
+        'username' => 'settings_readonly',
+        'name' => 'Settings Readonly',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+
+    $role = AdminRole::query()->create([
+        'slug' => 'settings_readonly_role',
+        'name' => 'Settings Readonly Role',
+    ]);
+    $role->syncLegacyPermissionSlugs(['prd.rebate.manage']);
+
+    $admin->roles()->sync([
+        (int) $role->id => [
+            'site_id' => AdminUser::defaultAdminSiteId(),
+            'granted_at' => now(),
+        ],
+    ]);
+
+    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
+}
+
 test('admin can batch update settings in one request', function (): void {
     LotterySettings::put('draw.interval_minutes', 5, 'draw');
     LotterySettings::put('draw.cooldown_minutes', 15, 'draw');
@@ -101,3 +127,33 @@ test('admin can update single setting with false value', function (): void {
 
     expect(LotterySetting::query()->where('setting_key', 'settlement.apply_rebate_to_payout')->value('value_json'))->toBeFalse();
 });
+
+test('non payout manager cannot batch update settlement settings', function (): void {
+    LotterySettings::put('settlement.auto_payout_on_tick', true, 'settlement');
+
+    $token = settingsReadOnlyToken();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->putJson('/api/v1/admin/settings/batch', [
+            'items' => [
+                ['key' => 'settlement.auto_payout_on_tick', 'value' => false],
+            ],
+        ])
+        ->assertForbidden();
+
+    expect(LotterySetting::query()->where('setting_key', 'settlement.auto_payout_on_tick')->value('value_json'))->toBeTrue();
+});
+
+test('non payout manager cannot update single settlement setting', function (): void {
+    LotterySettings::put('settlement.auto_approve_on_tick', true, 'settlement');
+
+    $token = settingsReadOnlyToken();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->putJson('/api/v1/admin/settings/settlement.auto_approve_on_tick', [
+            'value' => false,
+        ])
+        ->assertForbidden();
+
+    expect(LotterySetting::query()->where('setting_key', 'settlement.auto_approve_on_tick')->value('value_json'))->toBeTrue();
+});