feat: 增强代理和玩家管理功能

- 在 SyncAdminAuthorizationCommand 中新增对代理线路和结算菜单操作的同步功能，确保缺失的菜单操作行能够被创建。 - 更新多个控制器中的权限检查逻辑，使用 hasPermissionCode 替代原有的权限验证方式，提升权限管理的灵活性。 - 在 AdminPlayerStoreController 中引入对玩家创建能力的验证，确保只有具备相应权限的管理员能够创建玩家。 - 更新请求验证逻辑，新增 credit_limit、rebate_rate 和 extra_rebate_rate 字段，以支持更细粒度的玩家管理。 - 在 AdminUser 和 AgentNode 模型中增强角色与用户的权限管理功能，支持更细粒度的权限控制。
2026-06-04 09:17:47 +08:00
parent 240d585f15
commit e3ffffad9c
74 changed files with 3076 additions and 65 deletions
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentLineShowController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentLineShowController.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\Agent;
+
+use App\Http\Controllers\Controller;
+use App\Models\AdminSite;
+use App\Models\AgentNode;
+use App\Support\AdminIntegrationSitePresenter;
+use App\Support\AdminSiteScope;
+use App\Support\AgentLinePresenter;
+use App\Support\AgentNodePresenter;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+/** GET /api/v1/admin/agent-lines/{admin_site} */
+final class AgentLineShowController extends Controller
+{
+    public function __invoke(Request $request, AdminSite $admin_site): JsonResponse
+    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if (! AdminSiteScope::siteIdAllowed($admin, (int) $admin_site->id)) {
+            abort(403);
+        }
+
+        $root = AgentNode::query()
+            ->where('admin_site_id', $admin_site->id)
+            ->where('depth', 0)
+            ->firstOrFail();
+
+        return ApiResponse::success([
+            'site' => AdminIntegrationSitePresenter::detail($admin_site),
+            'agent_node' => AgentNodePresenter::item($root),
+            'line_root' => [
+                'agent_node_id' => (int) $root->id,
+                'site_code' => (string) $admin_site->code,
+                'is_line_root' => true,
+            ],
+        ]);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentLineStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentLineStoreController.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\Agent;
+
+use App\Http\Controllers\Controller;
+use App\Http\Middleware\RecordAdminApiAudit;
+use App\Http\Requests\Admin\AdminAgentLineStoreRequest;
+use App\Services\Agent\AgentSiteProvisioningService;
+use App\Services\AuditLogger;
+use App\Support\AdminIntegrationSitePresenter;
+use App\Support\AgentLinePresenter;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+
+/** POST /api/v1/admin/agent-lines */
+final class AgentLineStoreController extends Controller
+{
+    public function __invoke(
+        AdminAgentLineStoreRequest $request,
+        AgentSiteProvisioningService $service,
+    ): JsonResponse {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        $result = $service->createRootAgent($admin, $request->validated());
+        $site = $result['site'];
+        $node = $result['agent_node'];
+
+        $payload = AgentLinePresenter::provisioned($site, $node, $result['secrets']);
+
+        AuditLogger::recordForAdmin(
+            $admin,
+            $request,
+            moduleCode: 'agent',
+            actionCode: 'agent_line.provision',
+            targetType: 'admin_site',
+            targetId: (string) $site->id,
+            afterJson: [
+                'site' => AdminIntegrationSitePresenter::detail($site),
+                'agent_node_id' => (int) $node->id,
+            ],
+        );
+        $request->attributes->set(RecordAdminApiAudit::ATTRIBUTE_AUDIT_RECORDED, true);
+
+        return ApiResponse::success($payload)->setStatusCode(201);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeDestroyController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeDestroyController.php
@@ -43,12 +43,8 @@ final class AgentNodeDestroyController extends Controller
            return ApiMessage::errorResponse($request, 'admin.agent_node_has_children_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
        }

-        if (DB::table('admin_user_agents')->where('agent_node_id', (int) $agent_node->id)->exists()) {
-            return ApiMessage::errorResponse($request, 'admin.agent_node_has_users_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
-        }
-
-        if ($service->hasBlockingCustomRoles($agent_node)) {
-            return ApiMessage::errorResponse($request, 'admin.agent_node_has_roles_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
+        if (DB::table('players')->where('agent_node_id', $agent_node->id)->exists()) {
+            return ApiMessage::errorResponse($request, 'admin.agent_node_has_players_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
        }

        $before = AgentNodePresenter::item($agent_node);
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeProfileController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeProfileController.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\Agent;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Admin\AdminAgentProfileUpdateRequest;
+use App\Models\AgentNode;
+use App\Models\AgentProfile;
+use App\Services\Agent\AgentNodeService;
+use App\Services\Agent\AgentProfileService;
+use App\Support\AdminAgentScope;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+/** GET/PUT /api/v1/admin/agent-nodes/{agent_node}/profile */
+final class AgentNodeProfileController extends Controller
+{
+    public function show(Request $request, AgentNode $agent_node): JsonResponse
+    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+        abort_if(! AdminAgentScope::nodeVisibleTo($admin, $agent_node), 403);
+
+        $profile = AgentProfile::query()->firstOrNew(['agent_node_id' => $agent_node->id]);
+
+        return ApiResponse::success(app(AgentProfileService::class)->present($profile));
+    }
+
+    public function update(
+        AdminAgentProfileUpdateRequest $request,
+        AgentNode $agent_node,
+        AgentProfileService $service,
+        AgentNodeService $agentNodeService,
+    ): JsonResponse {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+        abort_if(! AdminAgentScope::nodeVisibleTo($admin, $agent_node), 403);
+
+        $parent = $agent_node->parent_id !== null
+            ? AgentNode::query()->find($agent_node->parent_id)
+            : null;
+
+        $profile = $service->upsertForNode($agent_node, $request->validated(), $parent);
+        $agentNodeService->syncPrimaryOwnerRoleFromProfile($agent_node, $profile);
+
+        return ApiResponse::success($service->present($profile));
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementBillConfirmController.php
+++ b/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementBillConfirmController.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\AgentSettlement;
+
+use App\Http\Controllers\Controller;
+use App\Http\Middleware\RecordAdminApiAudit;
+use App\Models\Player;
+use App\Services\AuditLogger;
+use App\Services\Player\PlayerCreditService;
+use App\Support\AdminAgentSettlementScope;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+final class AgentSettlementBillConfirmController extends Controller
+{
+    public function __invoke(
+        Request $request,
+        int $settlement_bill,
+        PlayerCreditService $creditService,
+    ): JsonResponse {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        abort_if(! AdminAgentSettlementScope::billAccessible($admin, $settlement_bill), 404);
+
+        $bill = DB::table('settlement_bills')->where('id', $settlement_bill)->first();
+        abort_if($bill === null, 404);
+
+        $unpaid = (int) $bill->unpaid_amount;
+        DB::table('settlement_bills')->where('id', $settlement_bill)->update([
+            'paid_amount' => (int) $bill->paid_amount + $unpaid,
+            'unpaid_amount' => 0,
+            'status' => 'confirmed',
+            'confirmed_at' => now(),
+            'updated_at' => now(),
+        ]);
+
+        if ($bill->owner_type === 'player' && (int) $bill->owner_id > 0) {
+            $player = Player::query()->find((int) $bill->owner_id);
+            if ($player !== null) {
+                $creditService->releaseFromSettlement($player, $unpaid, $settlement_bill);
+            }
+        }
+
+        AuditLogger::recordForAdmin(
+            $admin,
+            $request,
+            moduleCode: 'settlement',
+            actionCode: 'settlement_bill.confirm',
+            targetType: 'settlement_bill',
+            targetId: (string) $settlement_bill,
+            beforeJson: ['status' => (string) $bill->status, 'unpaid_amount' => $unpaid],
+            afterJson: ['status' => 'confirmed', 'paid_amount' => (int) $bill->paid_amount + $unpaid],
+        );
+        $request->attributes->set(RecordAdminApiAudit::ATTRIBUTE_AUDIT_RECORDED, true);
+
+        return ApiResponse::success(['bill_id' => $settlement_bill, 'status' => 'confirmed']);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementBillIndexController.php
+++ b/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementBillIndexController.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\AgentSettlement;
+
+use App\Http\Controllers\Controller;
+use App\Support\AdminAgentSettlementScope;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+final class AgentSettlementBillIndexController extends Controller
+{
+    public function __invoke(Request $request): JsonResponse
+    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        $periodId = (int) $request->query('settlement_period_id', 0);
+        $query = DB::table('settlement_bills')->orderByDesc('id');
+        if ($periodId > 0) {
+            $query->where('settlement_period_id', $periodId);
+        }
+
+        AdminAgentSettlementScope::applyToBillsQuery($query, $admin);
+
+        return ApiResponse::success([
+            'items' => $query->limit(100)->get(),
+        ]);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementPeriodCloseController.php
+++ b/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementPeriodCloseController.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\AgentSettlement;
+
+use App\Http\Controllers\Controller;
+use App\Http\Middleware\RecordAdminApiAudit;
+use App\Services\AgentSettlement\AgentSettlementPeriodCloseService;
+use App\Services\AuditLogger;
+use App\Support\AdminAgentSettlementScope;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+final class AgentSettlementPeriodCloseController extends Controller
+{
+    public function __invoke(
+        Request $request,
+        int $settlement_period,
+        AgentSettlementPeriodCloseService $service,
+    ): JsonResponse {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+        abort_if(! AdminAgentSettlementScope::periodAccessible($admin, $settlement_period), 404);
+
+        $before = DB::table('settlement_periods')->where('id', $settlement_period)->first();
+        $result = $service->closePeriod($settlement_period);
+
+        AuditLogger::recordForAdmin(
+            $admin,
+            $request,
+            moduleCode: 'settlement',
+            actionCode: 'settlement_period.close',
+            targetType: 'settlement_period',
+            targetId: (string) $settlement_period,
+            beforeJson: $before !== null ? (array) $before : null,
+            afterJson: $result,
+        );
+        $request->attributes->set(RecordAdminApiAudit::ATTRIBUTE_AUDIT_RECORDED, true);
+
+        return ApiResponse::success($result);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementPeriodStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/AgentSettlement/AgentSettlementPeriodStoreController.php
@@ -0,0 +1,52 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1\Admin\AgentSettlement;
+
+use App\Http\Controllers\Controller;
+use App\Http\Middleware\RecordAdminApiAudit;
+use App\Http\Requests\Admin\AdminSettlementPeriodStoreRequest;
+use App\Services\AuditLogger;
+use App\Support\AdminAgentSettlementScope;
+use App\Support\ApiResponse;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\DB;
+
+final class AgentSettlementPeriodStoreController extends Controller
+{
+    public function __invoke(AdminSettlementPeriodStoreRequest $request): JsonResponse
+    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        $data = $request->validated();
+        abort_if(
+            ! AdminAgentSettlementScope::siteAccessible($admin, (int) $data['admin_site_id']),
+            404,
+        );
+
+        $id = DB::table('settlement_periods')->insertGetId([
+            'admin_site_id' => (int) $data['admin_site_id'],
+            'period_start' => $data['period_start'],
+            'period_end' => $data['period_end'],
+            'status' => 'open',
+            'created_at' => now(),
+            'updated_at' => now(),
+        ]);
+
+        $row = DB::table('settlement_periods')->where('id', $id)->first();
+
+        AuditLogger::recordForAdmin(
+            $admin,
+            $request,
+            moduleCode: 'settlement',
+            actionCode: 'settlement_period.store',
+            targetType: 'settlement_period',
+            targetId: (string) $id,
+            beforeJson: null,
+            afterJson: (array) $row,
+        );
+        $request->attributes->set(RecordAdminApiAudit::ATTRIBUTE_AUDIT_RECORDED, true);
+
+        return ApiResponse::success((array) $row)->setStatusCode(201);
+    }
+}
--- a/app/Http/Controllers/Api/V1/Admin/Integration/AdminIntegrationSiteStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Integration/AdminIntegrationSiteStoreController.php
@@ -11,6 +11,8 @@ use App\Services\Integration\IntegrationSiteService;
 use App\Support\AdminIntegrationSitePresenter;
 use App\Http\Requests\Admin\AdminIntegrationSiteStoreRequest;
 use App\Http\Middleware\RecordAdminApiAudit;
+use App\Lottery\ErrorCode;
+use App\Support\ApiMessage;

 final class AdminIntegrationSiteStoreController extends Controller
 {
@@ -21,6 +23,19 @@ final class AdminIntegrationSiteStoreController extends Controller
        $admin = $request->lotteryAdmin();
        abort_if($admin === null, 401);

+        if (! $admin->isSuperAdmin()) {
+            return ApiMessage::errorResponse(
+                $request,
+                'admin.integration_site_store_deprecated',
+                ErrorCode::AdminForbidden->value,
+                ['hint' => 'Use POST /api/v1/admin/agent-lines to provision a new agent line.'],
+                403,
+            )->withHeaders([
+                'Deprecation' => 'true',
+                'Link' => '</api/v1/admin/agent-lines>; rel="successor-version"',
+            ]);
+        }
+
        $result = $service->create($request->validated());
        $site = $result['site'];

--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerStoreController.php
@@ -12,15 +12,35 @@ use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Admin\AdminPlayerStoreRequest;
+use App\Models\AgentNode;
+use App\Services\Agent\AgentProfileService;
+use App\Services\Agent\RebateLimitValidator;
+use App\Services\Player\PlayerCreditService;

 /** POST /api/v1/admin/players */
 final class AdminPlayerStoreController extends Controller
 {
-    public function __invoke(AdminPlayerStoreRequest $request): JsonResponse
-    {
+    public function __invoke(
+        AdminPlayerStoreRequest $request,
+        PlayerCreditService $playerCreditService,
+        RebateLimitValidator $rebateLimitValidator,
+        AgentProfileService $agentProfileService,
+    ): JsonResponse {
        $admin = $request->lotteryAdmin();
        abort_if($admin === null, 401);

+        try {
+            $agentProfileService->assertActorMayCreatePlayer($admin);
+        } catch (\Illuminate\Validation\ValidationException $e) {
+            return ApiMessage::errorResponse(
+                $request,
+                'admin.player_create_capability_forbidden',
+                ErrorCode::AdminForbidden->value,
+                $e->errors(),
+                403,
+            );
+        }
+
        $siteCode = (string) $request->validated('site_code');
        if (! AdminSiteScope::siteCodeAllowed($admin, $siteCode)) {
            return ApiMessage::errorResponse($request, 'admin.player_create_site_forbidden', ErrorCode::AdminForbidden->value, null, 403);
@@ -56,6 +76,15 @@ final class AdminPlayerStoreController extends Controller
            }
        }

+        $agent = AgentNode::query()->findOrFail($agentNodeId);
+        if ($request->has('rebate_rate')) {
+            $rebateLimitValidator->assertPlayerRebateWithinAgent(
+                $agent,
+                (float) $request->input('rebate_rate', 0),
+                (float) $request->input('extra_rebate_rate', 0),
+            );
+        }
+
        $player = Player::query()->create([
            'site_code' => $request->validated('site_code'),
            'agent_node_id' => $agentNodeId,
@@ -66,6 +95,24 @@ final class AdminPlayerStoreController extends Controller
            'status' => $request->validated('status', 0),
        ]);

+        if ($request->has('credit_limit')) {
+            $playerCreditService->upsertAccount($player, [
+                'credit_limit' => (int) $request->input('credit_limit', 0),
+            ]);
+        }
+
+        if ($request->has('rebate_rate')) {
+            \Illuminate\Support\Facades\DB::table('player_rebate_profiles')->insert([
+                'player_id' => $player->id,
+                'game_type' => '*',
+                'inherit_from_agent' => false,
+                'rebate_rate' => (float) $request->input('rebate_rate', 0),
+                'extra_rebate_rate' => (float) $request->input('extra_rebate_rate', 0),
+                'created_at' => now(),
+                'updated_at' => now(),
+            ]);
+        }
+
        return ApiResponse::success(PlayerApiPresenter::listItem($player))->setStatusCode(201);
    }

--- a/app/Http/Controllers/Api/V1/Admin/User/AdminPermissionCatalogController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminPermissionCatalogController.php
@@ -58,6 +58,7 @@ final class AdminPermissionCatalogController extends Controller
        }

        $roles = AdminRole::query()
+            ->where('scope_type', AdminRole::SCOPE_SYSTEM)
            ->orderBy('slug')
            ->get(['id', 'slug', 'name']);

--- a/app/Http/Controllers/Api/V1/Admin/User/AdminRoleDestroyController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminRoleDestroyController.php
@@ -10,12 +10,15 @@ use Illuminate\Http\Request;
 use App\Services\AuditLogger;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminRoleApiPresenter;

 final class AdminRoleDestroyController extends Controller
 {
    public function __invoke(Request $request, AdminRole $admin_role): JsonResponse
    {
+        AdminAccountScopeGuard::assertSystemRole($admin_role);
+
        if ($admin_role->slug === AdminRole::ROLE_SUPER_ADMIN) {
            return ApiMessage::errorResponse($request, 'admin.role_cannot_delete_super_admin', ErrorCode::ValidationFailed->value, null, 422);
        }
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminRolePermissionSyncController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminRolePermissionSyncController.php
@@ -9,6 +9,7 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\DB;
 use App\Http\Controllers\Controller;
 use App\Support\AdminPermissionInheritance;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminRoleApiPresenter;
 use App\Http\Requests\Admin\AdminRolePermissionSyncRequest;

@@ -16,6 +17,8 @@ final class AdminRolePermissionSyncController extends Controller
 {
    public function __invoke(AdminRolePermissionSyncRequest $request, AdminRole $admin_role): JsonResponse
    {
+        AdminAccountScopeGuard::assertSystemRole($admin_role);
+
        $slugs = AdminPermissionInheritance::expand(
            array_values(array_unique($request->validated('permission_slugs', []))),
        );
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminRoleUpdateController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminRoleUpdateController.php
@@ -7,6 +7,7 @@ use App\Support\ApiResponse;
 use App\Services\AuditLogger;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminRoleApiPresenter;
 use App\Http\Requests\Admin\AdminRoleUpdateRequest;

@@ -14,6 +15,8 @@ final class AdminRoleUpdateController extends Controller
 {
    public function __invoke(AdminRoleUpdateRequest $request, AdminRole $admin_role): JsonResponse
    {
+        AdminAccountScopeGuard::assertSystemRole($admin_role);
+
        $before = AdminRoleApiPresenter::item($admin_role);

        $payload = [];
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserDestroyController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserDestroyController.php
@@ -10,6 +10,7 @@ use Illuminate\Http\Request;
 use App\Services\AuditLogger;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminUserApiPresenter;

 /** DELETE /api/v1/admin/admin-users/{admin_user} */
@@ -19,6 +20,7 @@ final class AdminUserDestroyController extends Controller
    {
        /** @var AdminUser $actor */
        $actor = $request->lotteryAdmin();
+        AdminAccountScopeGuard::assertPlatformAccount($admin_user);

        if ((int) $actor->getKey() === (int) $admin_user->getKey()) {
            return ApiMessage::errorResponse($request, 'admin.user_cannot_delete_self', ErrorCode::ValidationFailed->value, null, 422);
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserIndexController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserIndexController.php
@@ -3,6 +3,7 @@
 namespace App\Http\Controllers\Api\V1\Admin\User;

 use App\Models\AdminUser;
+use Illuminate\Support\Facades\DB;
 use Illuminate\Http\Request;
 use App\Support\AdminApiList;
 use Illuminate\Http\JsonResponse;
@@ -19,6 +20,11 @@ final class AdminUserIndexController extends Controller

        $q = AdminUser::query()
            ->with(['roles'])
+            ->whereNotExists(static function ($sub): void {
+                $sub->select(DB::raw(1))
+                    ->from('admin_user_agents as uag')
+                    ->whereColumn('uag.admin_user_id', 'admin_users.id');
+            })
            ->orderByDesc('id');

        if ($keyword !== '') {
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserPermissionSyncController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserPermissionSyncController.php
@@ -9,6 +9,8 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Support\Facades\DB;
 use App\Http\Controllers\Controller;
 use App\Support\AdminPermissionBridge;
+use App\Support\AdminAccountScopeGuard;
+use App\Support\AdminUserApiPresenter;
 use App\Http\Requests\Admin\AdminUserPermissionSyncRequest;

 /** PUT /api/v1/admin/admin-users/{admin_user}/permissions */
@@ -16,6 +18,8 @@ final class AdminUserPermissionSyncController extends Controller
 {
    public function __invoke(AdminUserPermissionSyncRequest $request, AdminUser $admin_user): JsonResponse
    {
+        AdminAccountScopeGuard::assertPlatformAccount($admin_user);
+
        $input = $request->validated();
        $slugs = AdminPermissionBridge::normalizeCanonicalLegacySlugs(array_values(array_filter(
            (array) ($input['permissions'] ?? $input['permission_slugs'] ?? []),
@@ -69,13 +73,6 @@ final class AdminUserPermissionSyncController extends Controller
            ],
        );

-        return ApiResponse::success([
-            'id' => (int) $admin_user->id,
-            'username' => $admin_user->username,
-            'nickname' => $admin_user->name,
-            'roles' => $admin_user->adminRoleSlugs(),
-            'direct_permissions' => $admin_user->directLegacyPermissionSlugs(),
-            'effective_permissions' => $admin_user->adminPermissionSlugs(),
-        ]);
+        return ApiResponse::success(AdminUserApiPresenter::listItem($admin_user));
    }
 }
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserRoleSyncController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserRoleSyncController.php
@@ -6,6 +6,8 @@ use App\Models\AdminUser;
 use App\Support\ApiResponse;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
+use App\Support\AdminUserApiPresenter;
 use App\Http\Requests\Admin\AdminUserRoleSyncRequest;

 /** PUT /api/v1/admin/admin-users/{admin_user}/roles */
@@ -13,18 +15,13 @@ final class AdminUserRoleSyncController extends Controller
 {
    public function __invoke(AdminUserRoleSyncRequest $request, AdminUser $admin_user): JsonResponse
    {
+        AdminAccountScopeGuard::assertPlatformAccount($admin_user);
+
        $slugs = array_values(array_unique($request->validated('role_slugs')));
-        $admin_user->syncRoleSlugsForDefaultSite($slugs);
+        $admin_user->syncSystemRoleSlugs($slugs);

        $admin_user->load('roles');

-        return ApiResponse::success([
-            'id' => (int) $admin_user->id,
-            'username' => $admin_user->username,
-            'nickname' => $admin_user->name,
-            'roles' => $admin_user->adminRoleSlugs(),
-            'direct_permissions' => $admin_user->directLegacyPermissionSlugs(),
-            'effective_permissions' => $admin_user->adminPermissionSlugs(),
-        ]);
+        return ApiResponse::success(AdminUserApiPresenter::listItem($admin_user));
    }
 }
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserShowController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserShowController.php
@@ -6,6 +6,7 @@ use App\Models\AdminUser;
 use App\Support\ApiResponse;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminUserApiPresenter;

 /** GET /api/v1/admin/admin-users/{admin_user} */
@@ -13,6 +14,8 @@ final class AdminUserShowController extends Controller
 {
    public function __invoke(AdminUser $admin_user): JsonResponse
    {
+        AdminAccountScopeGuard::assertPlatformAccount($admin_user);
+
        $admin_user->load('roles');

        return ApiResponse::success(AdminUserApiPresenter::listItem($admin_user));
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserStoreController.php
@@ -37,7 +37,7 @@ final class AdminUserStoreController extends Controller
                'password' => $request->validated('password'),
                'status' => $request->validated('status', 0),
            ]);
-            $created->syncRoleSlugsForDefaultSite($roleSlugs);
+            $created->syncSystemRoleSlugs($roleSlugs);

            return $created;
        });
--- a/app/Http/Controllers/Api/V1/Admin/User/AdminUserUpdateController.php
+++ b/app/Http/Controllers/Api/V1/Admin/User/AdminUserUpdateController.php
@@ -7,6 +7,7 @@ use App\Support\ApiResponse;
 use App\Services\AuditLogger;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminAccountScopeGuard;
 use App\Support\AdminUserApiPresenter;
 use App\Http\Requests\Admin\AdminUserUpdateRequest;

@@ -17,6 +18,7 @@ final class AdminUserUpdateController extends Controller
    {
        /** @var AdminUser $actor */
        $actor = $request->lotteryAdmin();
+        AdminAccountScopeGuard::assertPlatformAccount($admin_user);

        $admin_user->load('roles');
        $before = AdminUserApiPresenter::listItem($admin_user);