feat: 单卡回收接口优化 & 店铺禁用登录拦截

单卡回收优化：
- 移除 from_shop_id 参数，系统自动识别卡所属店铺
- 保持直属下级限制，混合来源分别处理
- 新增 GetDistributedStandaloneByICCIDRange/GetDistributedStandaloneByFilters 方法

店铺禁用拦截：
- 登录时检查关联店铺状态，禁用店铺无法登录
- 新增 CodeShopDisabled 错误码

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

internal/service/auth/service.go

@@ -21,6 +21,7 @@ type Service struct {
 	accountRoleStore *postgres.AccountRoleStore
 	rolePermStore    *postgres.RolePermissionStore
 	permissionStore  *postgres.PermissionStore
+	shopStore        *postgres.ShopStore
 	tokenManager     *auth.TokenManager
 	logger           *zap.Logger
 }
@@ -30,6 +31,7 @@ func New(
 	accountRoleStore *postgres.AccountRoleStore,
 	rolePermStore *postgres.RolePermissionStore,
 	permissionStore *postgres.PermissionStore,
+	shopStore *postgres.ShopStore,
 	tokenManager *auth.TokenManager,
 	logger *zap.Logger,
 ) *Service {
@@ -38,6 +40,7 @@ func New(
 		accountRoleStore: accountRoleStore,
 		rolePermStore:    rolePermStore,
 		permissionStore:  permissionStore,
+		shopStore:        shopStore,
 		tokenManager:     tokenManager,
 		logger:           logger,
 	}
@@ -65,6 +68,22 @@ func (s *Service) Login(ctx context.Context, req *dto.LoginRequest, clientIP str
 		return nil, errors.New(errors.CodeAccountDisabled, "账号已禁用")
 	}
 
+	// 检查店铺状态（代理账号必须关联店铺且店铺必须启用）
+	if account.ShopID != nil && *account.ShopID > 0 {
+		shop, err := s.shopStore.GetByID(ctx, *account.ShopID)
+		if err != nil {
+			if err == gorm.ErrRecordNotFound {
+				s.logger.Warn("登录失败：关联店铺不存在", zap.String("username", req.Username), zap.Uint("shop_id", *account.ShopID))
+				return nil, errors.New(errors.CodeShopNotFound, "关联店铺不存在")
+			}
+			return nil, errors.Wrap(errors.CodeInternalError, err, "查询店铺失败")
+		}
+		if shop.Status != constants.StatusEnabled {
+			s.logger.Warn("登录失败：关联店铺已禁用", zap.String("username", req.Username), zap.Uint("shop_id", *account.ShopID))
+			return nil, errors.New(errors.CodeShopDisabled, "店铺已禁用，无法登录")
+		}
+	}
+
 	device := req.Device
 	if device == "" {
 		device = "web"