fix: 支付安全审核修复（支付宝+微信）

支付宝:
- 回调增加 app_id 校验，防止跨商户通知
- 回调增加 sign_type 过滤，仅接受 RSA2
- 退款增加 out_request_no 保证幂等
- 金额解析增加精度保护
- timestamp 改用 CST 时区

微信:
- 自行实现 AES-GCM 解密替代库的 decipher_gcm（修复 AuthTag 未验证）
- WXPAY_PUBLIC_KEY_ID 改为必填
- serial 匹配检查改为强制
- 时间戳校验移到签名验证之前
- nonce 改用 crypto.randomBytes
- publicKey 不允许空 Buffer fallback

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/lib/payment/index.ts

@@ -49,11 +49,12 @@ export function initPaymentProviders(): void {
       !env.WXPAY_PRIVATE_KEY ||
       !env.WXPAY_API_V3_KEY ||
       !env.WXPAY_PUBLIC_KEY ||
+      !env.WXPAY_PUBLIC_KEY_ID ||
       !env.WXPAY_CERT_SERIAL ||
       !env.WXPAY_NOTIFY_URL
     ) {
       throw new Error(
-        'PAYMENT_PROVIDERS includes wxpay but required env vars are missing: WXPAY_APP_ID, WXPAY_MCH_ID, WXPAY_PRIVATE_KEY, WXPAY_API_V3_KEY, WXPAY_PUBLIC_KEY, WXPAY_CERT_SERIAL, WXPAY_NOTIFY_URL',
+        'PAYMENT_PROVIDERS includes wxpay but required env vars are missing: WXPAY_APP_ID, WXPAY_MCH_ID, WXPAY_PRIVATE_KEY, WXPAY_API_V3_KEY, WXPAY_PUBLIC_KEY, WXPAY_PUBLIC_KEY_ID, WXPAY_CERT_SERIAL, WXPAY_NOTIFY_URL',
       );
     }
     paymentRegistry.register(new WxpayProvider());