feat(admin): 统一后台 API 资源鉴权并完善投注风控快照与回补

tests/Feature/AdminAuthorizationAuditCommandTest.php

@@ -0,0 +1,48 @@
+<?php
+
+use Database\Seeders\AdminRbacAndUserSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\DB;
+
+uses(RefreshDatabase::class);
+
+test('admin authorization audit reports missing api resources for protected routes', function (): void {
+    DB::table('admin_api_resources')
+        ->where('code', 'admin.config.play-versions.index')
+        ->delete();
+
+    $this->artisan('lottery:admin-auth-audit')
+        ->expectsOutputToContain('Admin authorization audit found')
+        ->expectsOutputToContain('[route_coverage]')
+        ->assertExitCode(1);
+});
+
+test('admin authorization audit passes on the default authorization catalog', function (): void {
+    $this->artisan('lottery:admin-auth-audit')
+        ->expectsOutputToContain('Admin authorization audit passed.')
+        ->assertExitCode(0);
+});
+
+test('admin authorization audit detects role api resource drift', function (): void {
+    $this->seed(AdminRbacAndUserSeeder::class);
+
+    $resourceId = DB::table('admin_api_resources')
+        ->where('code', 'admin.audit.index')
+        ->value('id');
+
+    $roleId = DB::table('admin_roles')
+        ->where('slug', 'finance')
+        ->value('id');
+
+    expect($resourceId)->not->toBeNull();
+    expect($roleId)->not->toBeNull();
+
+    DB::table('admin_role_api_resources')
+        ->where('role_id', (int) $roleId)
+        ->where('api_resource_id', (int) $resourceId)
+        ->delete();
+
+    $this->artisan('lottery:admin-auth-audit --skip-route-coverage')
+        ->expectsOutputToContain('Missing role-resource grant')
+        ->assertExitCode(1);
+});