fix(saas): 统一权限体系 — check_permission 辅助函数 + admin:full 超级权限

- 新增 check_permission() 统一权限检查，admin:full 自动通过所有检查
- 统一种子角色权限名称与 handler 检查一致 (provider:manage, model:manage, config:write)
- super_admin 拥有 admin:full + 所有模块管理权限
- 全部 handler 迁移到 check_permission()，消除手动 contains 检查

crates/zclaw-saas/src/account/handlers.rs

@@ -5,16 +5,13 @@ use axum::{
     Json,
 };
 use crate::state::AppState;
-use crate::error::{SaasError, SaasResult};
+use crate::error::SaasResult;
 use crate::auth::types::AuthContext;
-use crate::auth::handlers::log_operation;
+use crate::auth::handlers::{log_operation, check_permission};
 use super::{types::*, service};
 
 fn require_admin(ctx: &AuthContext) -> SaasResult<()> {
-    if !ctx.permissions.contains(&"account:admin".to_string()) {
-        return Err(SaasError::Forbidden("需要 account:admin 权限".into()));
-    }
-    Ok(())
+    check_permission(ctx, "account:admin")
 }
 
 /// GET /api/v1/accounts (admin only)