fix(saas): 统一权限体系 — check_permission 辅助函数 + admin:full 超级权限

- 新增 check_permission() 统一权限检查，admin:full 自动通过所有检查
- 统一种子角色权限名称与 handler 检查一致 (provider:manage, model:manage, config:write)
- super_admin 拥有 admin:full + 所有模块管理权限
- 全部 handler 迁移到 check_permission()，消除手动 contains 检查

crates/zclaw-saas/src/relay/handlers.rs

@@ -9,7 +9,7 @@ use axum::{
 use crate::state::AppState;
 use crate::error::{SaasError, SaasResult};
 use crate::auth::types::AuthContext;
-use crate::auth::handlers::log_operation;
+use crate::auth::handlers::{log_operation, check_permission};
 use crate::model_config::service as model_service;
 use super::{types::*, service};
 
@@ -21,10 +21,7 @@ pub async fn chat_completions(
     _headers: HeaderMap,
     Json(req): Json<serde_json::Value>,
 ) -> SaasResult<Response> {
-    // 检查 relay:use 权限
-    if !ctx.permissions.contains(&"relay:use".to_string()) {
-        return Err(SaasError::Forbidden("需要 relay:use 权限".into()));
-    }
+    check_permission(&ctx, "relay:use")?;
 
     let model_name = req.get("model")
         .and_then(|v| v.as_str())
@@ -129,8 +126,8 @@ pub async fn get_task(
 ) -> SaasResult<Json<RelayTaskInfo>> {
     let task = service::get_relay_task(&state.db, &id).await?;
     // 只允许查看自己的任务 (admin 可查看全部)
-    if task.account_id != ctx.account_id && !ctx.permissions.contains(&"relay:admin".to_string()) {
-        return Err(SaasError::Forbidden("无权查看此任务".into()));
+    if task.account_id != ctx.account_id {
+        check_permission(&ctx, "relay:admin")?;
     }
     Ok(Json(task))
 }