refactor(plugins): comprehensive code review - ~35 fixes across 14 plugins

Phase 1 - Plugin code review (14/14 plugins):
- Security: 3x token leak in print→logger.debug, Bearer prefix handling
- Bug: bare except→specific exceptions, HorseState type safety, sync→async
- Critical: response_model undefined, route dead code, sync blocking event loop
- Quality: 11x print()→logger, variable name shadowing, consistent logging

Phase 2 - Deep analysis:
- Fix: payout int truncation→max(1, round(amount*odds))
- Fix: room_store get_lock race condition→dict.setdefault()
- Verify: data_manager f-string SQL is safe (uses ? placeholders)

Infrastructure: review reports generated for all plugins.

review_reports/danding_points_query_review.md

@@ -0,0 +1,28 @@
+# danding_points_query 评审报告
+
+## 修复前问题清单 (4项)
+
+| # | 严重度 | 问题 | 文件 |
+|---|--------|------|------|
+| 1 | 中 | 裸`except Exception: pass`吞错误，调试困难 | commands.py:24 |
+| 2 | 中 | `str\|None`语法需Python 3.10+，应改为`Optional[str]` | commands.py:30 |
+| 3 | 中 | points_api调用无错误处理，异常直接崩溃无用户友好提示 | commands.py多处 |
+| 4 | 低 | history_cmd对同一user重复调用`_get_user_name`(L144+L148) | commands.py:144,148 |
+
+## 修复内容
+
+### commands.py (4项修复)
+- `except Exception: pass` → `except Exception as e: logger.debug(...)` 添加日志
+- `str|None` → `Optional[str]` 兼容Python 3.9+
+- 所有5个api调用(`get_balance`×2, `get_ranking`, `get_transactions`, `_get_user_name`)均包裹try/except，异常时返回用户友好提示并记录日志
+- history_cmd中将`_get_user_name`提取到判断前，消除重复调用
+
+## 验证
+- [x] `Optional[str]`已导入
+- [x] 所有api调用有错误处理
+- [x] _get_user_name日志记录
+- [x] history_cmd无重复name查询
+
+## 代码质量总结
+插件整体结构优秀：README完善、命令层/API层分离清晰、config.py简洁。
+修复后质量评级：**A-**