fix: 修复授权记录备注修改权限问题

- 实现备注权限检查逻辑（authorization_service.go）
- 添加备注权限验证存储层（authorization_store.go）
- 新增集成测试覆盖备注权限场景
- 归档 fix-authorization-remark-permission 变更
- 同步 enterprise-card-authorization spec 规范

tests/integration/authorization_test.go

@@ -368,3 +368,111 @@ func TestAuthorization_Unauthorized(t *testing.T) {
 		assert.Equal(t, 401, resp.StatusCode)
 	})
 }
+
+func TestAuthorization_UpdateRemarkPermission(t *testing.T) {
+	env := integ.NewIntegrationTestEnv(t)
+
+	ts := time.Now().Unix() % 100000
+	shop := env.CreateTestShop("AUTH_PERM_SHOP", 1, nil)
+	enterprise := env.CreateTestEnterprise("AUTH_PERM_ENTERPRISE", &shop.ID)
+
+	card := &model.IotCard{
+		ICCID:    fmt.Sprintf("PERM%d", ts),
+		MSISDN:   "13800003001",
+		CardType: "data_card",
+		Status:   1,
+		ShopID:   &shop.ID,
+	}
+	require.NoError(t, env.TX.Create(card).Error)
+
+	agentAccount1 := env.CreateTestAccount("agent1", "password123", constants.UserTypeAgent, &shop.ID, nil)
+	agentAccount2 := env.CreateTestAccount("agent2", "password456", constants.UserTypeAgent, &shop.ID, nil)
+	enterpriseAccount := env.CreateTestAccount("enterprise1", "password789", constants.UserTypeEnterprise, nil, &enterprise.ID)
+
+	now := time.Now()
+	authByAgent1 := &model.EnterpriseCardAuthorization{
+		EnterpriseID:   enterprise.ID,
+		CardID:         card.ID,
+		AuthorizedBy:   agentAccount1.ID,
+		AuthorizedAt:   now,
+		AuthorizerType: constants.UserTypeAgent,
+		Remark:         "代理1创建的授权记录",
+	}
+	require.NoError(t, env.TX.Create(authByAgent1).Error)
+
+	t.Run("平台用户可修改任意授权记录备注", func(t *testing.T) {
+		url := fmt.Sprintf("/api/admin/authorizations/%d/remark", authByAgent1.ID)
+		body := map[string]string{"remark": "平台修改的备注"}
+		bodyBytes, _ := json.Marshal(body)
+
+		resp, err := env.AsSuperAdmin().Request("PUT", url, bodyBytes)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 200, resp.StatusCode)
+
+		var result response.Response
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		require.NoError(t, err)
+		assert.Equal(t, 0, result.Code)
+
+		data := result.Data.(map[string]interface{})
+		assert.Equal(t, "平台修改的备注", data["remark"])
+	})
+
+	t.Run("代理用户可修改本人创建的授权记录备注", func(t *testing.T) {
+		url := fmt.Sprintf("/api/admin/authorizations/%d/remark", authByAgent1.ID)
+		body := map[string]string{"remark": "代理1自己修改的备注"}
+		bodyBytes, _ := json.Marshal(body)
+
+		resp, err := env.AsUser(agentAccount1).Request("PUT", url, bodyBytes)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 200, resp.StatusCode)
+
+		var result response.Response
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		require.NoError(t, err)
+		assert.Equal(t, 0, result.Code)
+
+		data := result.Data.(map[string]interface{})
+		assert.Equal(t, "代理1自己修改的备注", data["remark"])
+	})
+
+	t.Run("代理用户不可修改他人创建的授权记录备注", func(t *testing.T) {
+		url := fmt.Sprintf("/api/admin/authorizations/%d/remark", authByAgent1.ID)
+		body := map[string]string{"remark": "代理2试图修改的备注"}
+		bodyBytes, _ := json.Marshal(body)
+
+		resp, err := env.AsUser(agentAccount2).Request("PUT", url, bodyBytes)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 403, resp.StatusCode)
+
+		var result response.Response
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		require.NoError(t, err)
+		assert.NotEqual(t, 0, result.Code)
+		assert.Contains(t, result.Message, "只能修改自己创建的授权记录备注")
+	})
+
+	t.Run("企业用户不允许修改授权记录备注", func(t *testing.T) {
+		url := fmt.Sprintf("/api/admin/authorizations/%d/remark", authByAgent1.ID)
+		body := map[string]string{"remark": "企业试图修改的备注"}
+		bodyBytes, _ := json.Marshal(body)
+
+		resp, err := env.AsUser(enterpriseAccount).Request("PUT", url, bodyBytes)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 403, resp.StatusCode)
+
+		var result response.Response
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		require.NoError(t, err)
+		assert.NotEqual(t, 0, result.Code)
+		assert.Contains(t, result.Message, "权限不足")
+	})
+}