fix(saas): admin_guard_middleware — 非 admin 用户统一返回 403

BUG-M4 修复: 之前非 admin 用户发送 malformed body 到 admin 端点时，
Axum 先反序列化 body 返回 422，绕过了权限检查。

- 新增 admin_guard_middleware (auth/mod.rs) 在中间件层拦截
- account::admin_routes() 拆分 (dashboard 独立)
- billing::admin_routes() + account::admin_routes() 加 guard layer
- 非 admin 用户无论 body 是否合法，统一返回 403

crates/zclaw-saas/src/main.rs

@@ -352,6 +352,10 @@ async fn build_router(state: AppState) -> axum::Router {
 
     let protected_routes = zclaw_saas::auth::protected_routes()
         .merge(zclaw_saas::account::routes())
+        .merge(
+            zclaw_saas::account::admin_routes()
+                .layer(middleware::from_fn(zclaw_saas::auth::admin_guard_middleware))
+        )
         .merge(zclaw_saas::model_config::routes())
         // relay::routes() 不在此合并 — SSE 端点需要更长超时，在最终 Router 单独合并
         .merge(zclaw_saas::migration::routes())
@@ -361,7 +365,10 @@ async fn build_router(state: AppState) -> axum::Router {
         .merge(zclaw_saas::scheduled_task::routes())
         .merge(zclaw_saas::telemetry::routes())
         .merge(zclaw_saas::billing::routes())
-        .merge(zclaw_saas::billing::admin_routes())
+        .merge(
+            zclaw_saas::billing::admin_routes()
+                .layer(middleware::from_fn(zclaw_saas::auth::admin_guard_middleware))
+        )
         .merge(zclaw_saas::knowledge::routes())
         .merge(zclaw_saas::industry::routes())
         .layer(middleware::from_fn_with_state(