feat: 增强后台设置校验、代理权限控制与财务审计能力

app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeRoleStoreController.php

@@ -10,6 +10,7 @@ use App\Http\Controllers\Controller;
 use App\Services\Agent\AgentRoleService;
 use App\Lottery\ErrorCode;
 use App\Support\AdminAgentNodeAccess;
+use App\Support\AdminAgentScope;
 use App\Support\AdminRoleApiPresenter;
 use App\Support\ApiMessage;
 use App\Http\Requests\Admin\AgentRoleStoreRequest;
@@ -39,6 +40,17 @@ final class AgentNodeRoleStoreController extends Controller
             );
         }
 
+        if (! AdminAgentScope::nodeManageableBy($admin, $agent_node)) {
+            return AdminAgentNodeAccess::denyUnlessCanManageParent($admin, $agent_node)
+                ?? ApiMessage::errorResponse(
+                    $request,
+                    'admin.agent_role_manage_denied',
+                    ErrorCode::AdminForbidden->value,
+                    null,
+                    403,
+                );
+        }
+
         $role = $service->createForAgent($admin, $agent_node, $request->validated());
 
         AuditLogger::recordForAdmin(