Add an admin authorization matrix with audit logging for all admin entrypoints

[greatest0fallt1me]

Description

Admin authorization is spread across several helpers and not uniformly audited. contracts/predictify-hybrid/src/admin.rs defines AdminRole, AdminPermission, and validation paths (AdminAccessControl::validate_permission, AdminManager::validate_admin_permission), and audit_trail.rs provides AuditTrailManager::append_record with AuditAction variants. However, some entrypoints use a narrower require_primary_admin check (e.g. set_oracle_val_cfg_global at contracts/predictify-hybrid/src/lib.rs:3808) and not every admin action appends an audit record. This issue establishes a single role/permission matrix and guarantees audit logging on every admin entrypoint.

Requirements and context

• Authorization primitives: AdminRole (admin.rs:31), AdminPermission (admin.rs:47), AdminAccessControl::validate_permission (admin.rs:495), AdminManager::validate_admin_permission.
• Audit primitives: crate::audit_trail::{AuditAction, AuditTrailManager} (already imported in admin.rs:13), with append_record (used e.g. at lib.rs:3824).
• Produce a documented mapping of each admin entrypoint in lib.rs to its required AdminPermission, and route all admin entrypoints through validate_permission (not ad-hoc require_primary_admin) where appropriate.
• Ensure every admin entrypoint appends an AuditAction record on success (and ideally on rejection) so the audit trail is complete.
• Non-functional: no behavior regression for currently-authorized callers; keep storage writes TTL-consistent and avoid duplicate audit entries.

Acceptance criteria

• A single permission matrix maps every admin entrypoint to an AdminPermission, enforced via AdminAccessControl::validate_permission.
• Each admin entrypoint appends an appropriate AuditAction record via AuditTrailManager.
• Ad-hoc require_primary_admin usages are either justified or migrated to the matrix.
• Unauthorized calls are rejected with Error::Unauthorized and (where feasible) audited.
• Tests assert authorized success, unauthorized rejection, and audit-record emission for a representative set of admin entrypoints.
• cargo fmt, cargo clippy, and cargo test pass.

Suggested execution

1. Fork the repo and create a branch — git checkout -b feature/admin-auth-matrix-audit.
2. Implement changes — contracts/predictify-hybrid/src/admin.rs, contracts/predictify-hybrid/src/audit_trail.rs, and admin entrypoints in contracts/predictify-hybrid/src/lib.rs.
3. Write/extend tests — extend contracts/predictify-hybrid/src/admin_auth_audit_tests.rs and require_auth_coverage_tests.rs.
4. Test and commit

cargo fmt --all -- --check
cargo clippy --all-targets --all-features -- -D warnings
cargo test -p predictify-hybrid
stellar contract build --verbose

Example commit message

improvement: enforce admin permission matrix with audit logging on all admin entrypoints

Guidelines

≥90% coverage on authorization/audit branches. Document the matrix in doc-comments and update API_DOCUMENTATION.md (Admin Management) and docs/contracts/ADMIN_OPERATIONS.md. Timeframe: 96 hours.