refactor(plugins): comprehensive code review - ~35 fixes across 14 plugins

Phase 1 - Plugin code review (14/14 plugins):
- Security: 3x token leak in print→logger.debug, Bearer prefix handling
- Bug: bare except→specific exceptions, HorseState type safety, sync→async
- Critical: response_model undefined, route dead code, sync blocking event loop
- Quality: 11x print()→logger, variable name shadowing, consistent logging

Phase 2 - Deep analysis:
- Fix: payout int truncation→max(1, round(amount*odds))
- Fix: room_store get_lock race condition→dict.setdefault()
- Verify: data_manager f-string SQL is safe (uses ? placeholders)

Infrastructure: review reports generated for all plugins.

danding_bot/plugins/auto_recall/config.py

@@ -1,5 +1,11 @@
-from pydantic import BaseModel, Field
-
-class Config(BaseModel):
-    recall_delay: int = Field(default=110, env="RECALL_DELAY")  # 撤回延迟时间，默认 110 秒
-    qqpush_recall_delay: int = Field(default=3600, env="QQPUSH_RECALL_DELAY")  # danding_qqpush 消息撤回延迟时间，默认 3600 秒（1小时）
+from pydantic import BaseModel, Field, validator
+
+class Config(BaseModel):
+    recall_delay: int = Field(default=110, ge=1, env="RECALL_DELAY")
+    qqpush_recall_delay: int = Field(default=3600, ge=1, env="QQPUSH_RECALL_DELAY")
+
+    @validator("recall_delay", "qqpush_recall_delay")
+    def delay_must_be_positive(cls, v: int) -> int:
+        if v < 1:
+            raise ValueError("撤回延迟必须大于0秒")
+        return v