fix: API 路由安全加固与架构优化 — 认证、错误处理、Registry 统一

- /api/user 添加 token 认证，防止用户枚举
- Admin token 支持 Authorization header
- /api/orders/my 区分认证失败和服务端错误
- Admin orders userId/date 参数校验
- Decimal 字段统一 Number() 转换
- 抽取 handleApiError/extractHeaders 工具函数
- Webhook 路由改用 Registry 获取 Provider
- PaymentRegistry lazy init 自动初始化

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/api/admin/orders/[id]/route.ts

@@ -23,6 +23,8 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   return NextResponse.json({
     ...order,
     amount: Number(order.amount),
+    payAmount: order.payAmount ? Number(order.payAmount) : null,
+    feeRate: order.feeRate ? Number(order.feeRate) : null,
     refundAmount: order.refundAmount ? Number(order.refundAmount) : null,
   });
 }