重构数据权限模型并清理旧RBAC代码

核心变更：
- 数据权限过滤从基于账号层级改为基于用户类型的多策略过滤
- 移除 AccountStore 中的 GetSubordinateIDs 等旧方法
- 重构认证中间件，支持 enterprise_id 和 customer_id
- 更新 GORM Callback，根据用户类型自动选择过滤策略（代理/企业/个人客户）
- 更新所有集成测试以适配新的 API 签名
- 添加功能总结文档和 OpenSpec 归档

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

tests/unit/permission_platform_filter_test.go

@@ -24,7 +24,7 @@ func TestPermissionPlatformFilter_List(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建不同 platform 的权限
 	permissions := []*model.Permission{
@@ -108,7 +108,7 @@ func TestPermissionPlatformFilter_CreateWithDefaultPlatform(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建权限时不指定 platform
 	req := &model.CreatePermissionRequest{
@@ -132,7 +132,7 @@ func TestPermissionPlatformFilter_CreateWithSpecificPlatform(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	tests := []struct {
 		name     string
@@ -169,7 +169,7 @@ func TestPermissionPlatformFilter_Tree(t *testing.T) {
 	service := permission.New(permissionStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建层级权限
 	parent := &model.Permission{

tests/unit/role_assignment_limit_test.go

@@ -26,7 +26,7 @@ func TestRoleAssignmentLimit_PlatformUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建平台用户
 	platformUser := &model.Account{
@@ -66,7 +66,7 @@ func TestRoleAssignmentLimit_AgentUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建代理账号
 	agentAccount := &model.Account{
@@ -109,7 +109,7 @@ func TestRoleAssignmentLimit_EnterpriseUser(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建企业账号
 	enterpriseAccount := &model.Account{
@@ -152,7 +152,7 @@ func TestRoleAssignmentLimit_SuperAdmin(t *testing.T) {
 	service := account.New(accountStore, roleStore, accountRoleStore)
 
 	ctx := context.Background()
-	ctx = middleware.SetUserContext(ctx, 1, constants.UserTypeSuperAdmin, 0)
+	ctx = middleware.SetUserContext(ctx, middleware.NewSimpleUserContext(1, constants.UserTypeSuperAdmin, 0))
 
 	// 创建超级管理员
 	superAdmin := &model.Account{