refactor(plugins): comprehensive code review - ~35 fixes across 14 plugins

Phase 1 - Plugin code review (14/14 plugins):
- Security: 3x token leak in print→logger.debug, Bearer prefix handling
- Bug: bare except→specific exceptions, HorseState type safety, sync→async
- Critical: response_model undefined, route dead code, sync blocking event loop
- Quality: 11x print()→logger, variable name shadowing, consistent logging

Phase 2 - Deep analysis:
- Fix: payout int truncation→max(1, round(amount*odds))
- Fix: room_store get_lock race condition→dict.setdefault()
- Verify: data_manager f-string SQL is safe (uses ? placeholders)

Infrastructure: review reports generated for all plugins.

danding_bot/plugins/group_horse_racing/commands/race.py

@@ -143,7 +143,7 @@ async def handle_cancel_race(bot: Bot, event: Event):
         room.bets.clear()
 
         for horse in room.horses.values():
-            horse.state = HorseState.WAITING
+            horse.state = HorseState.READY
 
         room.state = RoomState.WAITING
         room.tick_count = 0

danding_bot/plugins/group_horse_racing/commands/shared.py

@@ -5,7 +5,7 @@ from nonebot.adapters.onebot.v11 import Bot, Event, GroupMessageEvent, Message,
 
 from danding_bot.plugins.danding_qqpush.config import Config as QqPushConfig
 from danding_bot.plugins.danding_qqpush.image_render import ImageRenderer
-from ..room_store import RoomStore
+from ..room_store import room_store  # use the singleton managed by __init__.py lifecycle hooks
 from ..points_service import PointsService
 from ..race_engine import RaceEngine
 from ..message_service import MessageService
@@ -14,8 +14,6 @@ from ..models import Room, Horse, Bet, HorseState, RoomState, RaceResult
 from .. import plugin_config as config
 
 logger = logging.getLogger("horse_racing.commands")
-
-room_store = RoomStore(config)
 points_service = PointsService(config)
 race_engine = RaceEngine(config)
 message_service = MessageService(config)