feat: two-role system — super_admin & admin program (Fasa 12)

- Replace is_admin boolean with role enum('super_admin','admin') via migration
- ProgramPolicy: admin program can only view/edit/delete own programs
- EnsureIsAdmin: accepts both roles; EnsureSuperAdmin: super_admin only
- UserController + views: super_admin can manage admin accounts
- Sidebar: user management link & role badge gated on isSuperAdmin()
- Fix Controller base class: add AuthorizesRequests trait
- Fix tests: replace nonAdmin() (invalid enum) with adminProgram() against super_admin-only route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/Http/Controllers/Admin/ProgramController.php

@@ -19,6 +19,11 @@ class ProgramController extends Controller
             ->withCount(['attendances', 'programParticipants'])
             ->latest();
 
+        // Admin program hanya nampak program sendiri
+        if (auth()->user()->isAdminProgram()) {
+            $query->where('created_by', auth()->id());
+        }
+
         if ($request->filled('search')) {
             $query->where(function ($q) use ($request) {
                 $q->where('title', 'like', '%' . $request->search . '%')
@@ -57,6 +62,8 @@ class ProgramController extends Controller
 
     public function show(Program $program): View
     {
+        $this->authorize('view', $program);
+
         $program->load([
             'qrCode',
             'certificateTemplate',
@@ -77,11 +84,15 @@ class ProgramController extends Controller
 
     public function edit(Program $program): View
     {
+        $this->authorize('update', $program);
+
         return view('admin.programs.edit', compact('program'));
     }
 
     public function update(UpdateProgramRequest $request, Program $program): RedirectResponse
     {
+        $this->authorize('update', $program);
+
         $old = $program->only([
             'title', 'status', 'checkin_start_at', 'checkin_end_at',
             'ecert_download_start_at', 'ecert_download_end_at',
@@ -98,6 +109,8 @@ class ProgramController extends Controller
 
     public function destroy(Program $program): RedirectResponse
     {
+        $this->authorize('delete', $program);
+
         if ($program->attendances()->exists()) {
             return back()->with('error', 'Program tidak boleh dipadam kerana sudah ada rekod kehadiran.');
         }
@@ -113,6 +126,8 @@ class ProgramController extends Controller
 
     public function publish(Program $program): RedirectResponse
     {
+        $this->authorize('update', $program);
+
         if ($program->status !== 'draft') {
             return back()->with('error', 'Hanya program berstatus Draf boleh diterbitkan.');
         }
@@ -125,6 +140,8 @@ class ProgramController extends Controller
 
     public function close(Program $program): RedirectResponse
     {
+        $this->authorize('update', $program);
+
         if ($program->status !== 'published') {
             return back()->with('error', 'Hanya program berstatus Diterbitkan boleh ditutup.');
         }

app/Http/Controllers/Admin/UserController.php

@@ -0,0 +1,89 @@
+<?php
+
+namespace App\Http\Controllers\Admin;
+
+use App\Http\Controllers\Controller;
+use App\Models\User;
+use App\Services\AuditLogService;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\Rules\Password;
+use Illuminate\View\View;
+
+class UserController extends Controller
+{
+    public function index(): View
+    {
+        $users = User::withCount('programs')->latest()->paginate(20);
+
+        return view('admin.users.index', compact('users'));
+    }
+
+    public function create(): View
+    {
+        return view('admin.users.create');
+    }
+
+    public function store(Request $request): RedirectResponse
+    {
+        $data = $request->validate([
+            'name'     => 'required|string|max:255',
+            'email'    => 'required|email|max:255|unique:users,email',
+            'role'     => 'required|in:super_admin,admin',
+            'password' => ['required', 'confirmed', Password::min(8)->mixedCase()->numbers()],
+        ]);
+
+        $user = User::create($data);
+
+        AuditLogService::log('user.created', $user, [], ['email' => $user->email, 'role' => $user->role]);
+
+        return redirect()->route('admin.users.index')
+            ->with('success', 'Pengguna "' . $user->name . '" berjaya ditambah.');
+    }
+
+    public function edit(User $user): View
+    {
+        return view('admin.users.edit', compact('user'));
+    }
+
+    public function update(Request $request, User $user): RedirectResponse
+    {
+        $rules = [
+            'name'  => 'required|string|max:255',
+            'email' => 'required|email|max:255|unique:users,email,' . $user->id,
+            'role'  => 'required|in:super_admin,admin',
+        ];
+
+        if ($request->filled('password')) {
+            $rules['password'] = ['confirmed', Password::min(8)->mixedCase()->numbers()];
+        }
+
+        $data = $request->validate($rules);
+
+        if (! $request->filled('password')) {
+            unset($data['password']);
+        }
+
+        $old = $user->only(['name', 'email', 'role']);
+        $user->update($data);
+
+        AuditLogService::log('user.updated', $user, $old, $user->only(['name', 'email', 'role']));
+
+        return redirect()->route('admin.users.index')
+            ->with('success', 'Maklumat pengguna "' . $user->name . '" berjaya dikemas kini.');
+    }
+
+    public function destroy(User $user): RedirectResponse
+    {
+        if ($user->id === auth()->id()) {
+            return back()->with('error', 'Anda tidak boleh padam akaun sendiri.');
+        }
+
+        $name = $user->name;
+        AuditLogService::log('user.deleted', $user);
+        $user->delete();
+
+        return redirect()->route('admin.users.index')
+            ->with('success', 'Pengguna "' . $name . '" berjaya dipadam.');
+    }
+}