refactor(plugins): comprehensive code review - ~35 fixes across 14 plugins

Phase 1 - Plugin code review (14/14 plugins):
- Security: 3x token leak in print→logger.debug, Bearer prefix handling
- Bug: bare except→specific exceptions, HorseState type safety, sync→async
- Critical: response_model undefined, route dead code, sync blocking event loop
- Quality: 11x print()→logger, variable name shadowing, consistent logging

Phase 2 - Deep analysis:
- Fix: payout int truncation→max(1, round(amount*odds))
- Fix: room_store get_lock race condition→dict.setdefault()
- Verify: data_manager f-string SQL is safe (uses ? placeholders)

Infrastructure: review reports generated for all plugins.

danding_bot/plugins/group_horse_racing/points_service.py

@@ -53,7 +53,7 @@ class PointsService:
         self, user_id: str, amount: int, odds: float
     ) -> Tuple[bool, int]:
         """Payout bet winnings."""
-        payout = int(amount * odds)
+        payout = max(1, round(amount * odds))
         reason = f"下注获胜 ×{odds:.2f}"
         return await points_api.add_points(user_id, payout, "horse_race", reason)