feat: 集成微信支付直连（Native + H5）及金融级安全修复

- 新增 wxpay provider（wechatpay-node-v3 SDK），支持 Native 扫码和 H5 跳转
- 新增 /api/wxpay/notify 回调路由，AES-256-GCM 解密 + RSA 签名验证
- 修复 confirmPayment count=0 静默成功、充值失败返回 true 等 P0 问题
- 修复 notifyUrl 硬编码 easypay、回调金额覆盖订单金额等 P1 问题
- 手续费计算改用 Prisma.Decimal 精确运算，消除浮点误差
- 支付宝 provider 移除冗余 paramsForVerify，fetch 添加超时
- 补充 .env.example 配置文档和 CLAUDE.md 支付渠道说明

src/lib/wxpay/provider.ts

@@ -0,0 +1,160 @@
+import type {
+  PaymentProvider,
+  PaymentType,
+  CreatePaymentRequest,
+  CreatePaymentResponse,
+  QueryOrderResponse,
+  PaymentNotification,
+  RefundRequest,
+  RefundResponse,
+} from '@/lib/payment/types';
+import {
+  createNativeOrder,
+  createH5Order,
+  queryOrder,
+  closeOrder,
+  createRefund,
+  decipherNotify,
+  verifyNotifySign,
+} from './client';
+import { getEnv } from '@/lib/config';
+import type { WxpayNotifyPayload, WxpayNotifyResource } from './types';
+
+export class WxpayProvider implements PaymentProvider {
+  readonly name = 'wxpay-direct';
+  readonly providerKey = 'wxpay';
+  readonly supportedTypes: PaymentType[] = ['wxpay'];
+  readonly defaultLimits = {
+    wxpay: { singleMax: 1000, dailyMax: 10000 },
+  };
+
+  async createPayment(request: CreatePaymentRequest): Promise<CreatePaymentResponse> {
+    const env = getEnv();
+    const notifyUrl = env.WXPAY_NOTIFY_URL || request.notifyUrl;
+    if (!notifyUrl) {
+      throw new Error('WXPAY_NOTIFY_URL is required');
+    }
+
+    if (request.clientIp) {
+      const h5Url = await createH5Order({
+        out_trade_no: request.orderId,
+        description: request.subject,
+        notify_url: notifyUrl,
+        amount: request.amount,
+        payer_client_ip: request.clientIp,
+      });
+      return { tradeNo: request.orderId, payUrl: h5Url };
+    }
+
+    const codeUrl = await createNativeOrder({
+      out_trade_no: request.orderId,
+      description: request.subject,
+      notify_url: notifyUrl,
+      amount: request.amount,
+    });
+    return { tradeNo: request.orderId, qrCode: codeUrl };
+  }
+
+  async queryOrder(tradeNo: string): Promise<QueryOrderResponse> {
+    const result = await queryOrder(tradeNo);
+
+    let status: 'pending' | 'paid' | 'failed' | 'refunded';
+    switch (result.trade_state) {
+      case 'SUCCESS':
+        status = 'paid';
+        break;
+      case 'REFUND':
+        status = 'refunded';
+        break;
+      case 'CLOSED':
+      case 'PAYERROR':
+        status = 'failed';
+        break;
+      default:
+        status = 'pending';
+    }
+
+    const amount = result.amount as { total?: number } | undefined;
+    const totalFen = amount?.total ?? 0;
+
+    return {
+      tradeNo: (result.transaction_id as string) || tradeNo,
+      status,
+      amount: totalFen / 100,
+      paidAt: result.success_time ? new Date(result.success_time as string) : undefined,
+    };
+  }
+
+  async verifyNotification(
+    rawBody: string | Buffer,
+    headers: Record<string, string>,
+  ): Promise<PaymentNotification | null> {
+    const env = getEnv();
+    if (!env.WXPAY_PUBLIC_KEY) {
+      throw new Error('WXPAY_PUBLIC_KEY is required for notification verification');
+    }
+
+    const body = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf-8');
+
+    const timestamp = headers['wechatpay-timestamp'] || '';
+    const nonce = headers['wechatpay-nonce'] || '';
+    const signature = headers['wechatpay-signature'] || '';
+    const serial = headers['wechatpay-serial'] || '';
+
+    if (!timestamp || !nonce || !signature || !serial) {
+      throw new Error('Missing required Wechatpay signature headers');
+    }
+    const valid = await verifyNotifySign({ timestamp, nonce, body, serial, signature });
+    if (!valid) {
+      throw new Error('Wxpay notification signature verification failed');
+    }
+
+    const now = Math.floor(Date.now() / 1000);
+    if (Math.abs(now - Number(timestamp)) > 300) {
+      throw new Error('Wechatpay notification timestamp expired');
+    }
+
+    const payload: WxpayNotifyPayload = JSON.parse(body);
+
+    if (payload.event_type !== 'TRANSACTION.SUCCESS') {
+      return null;
+    }
+
+    const resource = decipherNotify<WxpayNotifyResource>(
+      payload.resource.ciphertext,
+      payload.resource.associated_data,
+      payload.resource.nonce,
+    );
+
+    return {
+      tradeNo: resource.transaction_id,
+      orderId: resource.out_trade_no,
+      amount: resource.amount.total / 100,
+      status: resource.trade_state === 'SUCCESS' ? 'success' : 'failed',
+      rawData: resource,
+    };
+  }
+
+  async refund(request: RefundRequest): Promise<RefundResponse> {
+    const orderResult = await queryOrder(request.orderId);
+    const amount = orderResult.amount as { total?: number } | undefined;
+    const totalFen = amount?.total ?? 0;
+
+    const result = await createRefund({
+      out_trade_no: request.orderId,
+      out_refund_no: `refund-${request.orderId}`,
+      amount: request.amount,
+      total: totalFen / 100,
+      reason: request.reason,
+    });
+
+    return {
+      refundId: (result.refund_id as string) || `${request.orderId}-refund`,
+      status: result.status === 'SUCCESS' ? 'success' : 'pending',
+    };
+  }
+
+  async cancelPayment(tradeNo: string): Promise<void> {
+    await closeOrder(tradeNo);
+  }
+}