fix(saas): admin_guard_middleware — 非 admin 用户统一返回 403

BUG-M4 修复: 之前非 admin 用户发送 malformed body 到 admin 端点时，
Axum 先反序列化 body 返回 422，绕过了权限检查。

- 新增 admin_guard_middleware (auth/mod.rs) 在中间件层拦截
- account::admin_routes() 拆分 (dashboard 独立)
- billing::admin_routes() + account::admin_routes() 加 guard layer
- 非 admin 用户无论 body 是否合法，统一返回 403

crates/zclaw-saas/src/account/mod.rs

@@ -16,8 +16,13 @@ pub fn routes() -> axum::Router<crate::state::AppState> {
         .route("/api/v1/tokens", post(handlers::create_token))
         .route("/api/v1/tokens/:id", delete(handlers::revoke_token))
         .route("/api/v1/logs/operations", get(handlers::list_operation_logs))
-        .route("/api/v1/admin/dashboard", get(handlers::dashboard_stats))
         .route("/api/v1/devices", get(handlers::list_devices))
         .route("/api/v1/devices/register", post(handlers::register_device))
         .route("/api/v1/devices/heartbeat", post(handlers::device_heartbeat))
 }
+
+/// Admin-only 路由 (需 admin_guard_middleware 保护)
+pub fn admin_routes() -> axum::Router<crate::state::AppState> {
+    axum::Router::new()
+        .route("/api/v1/admin/dashboard", get(handlers::dashboard_stats))
+}