feat: security hardening (Fasa 10)

- EnsureIsAdmin middleware: gates all admin routes on is_admin flag
- Apply admin middleware to entire admin route group
- Fix questionnaire resource route parameter name mismatch ({set})
- Audit log on questionnaire confirmation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/Http/Controllers/Admin/ProgramQuestionnaireController.php

@@ -6,6 +6,7 @@ use App\Http\Controllers\Controller;
 use App\Models\Program;
 use App\Models\ProgramQuestionnaire;
 use App\Models\QuestionnaireSet;
+use App\Services\AuditLogService;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\View\View;
@@ -63,6 +64,8 @@ class ProgramQuestionnaireController extends Controller
             'confirmed_by' => auth()->id(),
         ]);
 
+        AuditLogService::log('questionnaire.confirmed', $pq, [], ['program_id' => $program->id, 'questionnaire_set_id' => $pq->questionnaire_set_id]);
+
         return back()->with('success', 'Soalselidik telah disahkan untuk program ini.');
     }
 

app/Http/Middleware/EnsureIsAdmin.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureIsAdmin
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (! $request->user()?->is_admin) {
+            abort(403, 'Akses ditolak.');
+        }
+
+        return $next($request);
+    }
+}