feat: OpenAPI 契约对齐与框架优化

主要变更：
1. OpenAPI 文档契约对齐
   - 统一错误响应字段名为 msg（非 message）
   - 规范 envelope 响应结构（code, msg, data, timestamp）
   - 个人客户路由纳入文档体系（使用 Register 机制）
   - 新增 BuildDocHandlers() 统一管理 handler 构造
   - 确保文档生成的幂等性

2. Service 层错误处理统一
   - 全面替换 fmt.Errorf 为 errors.New/Wrap
   - 统一错误码使用规范
   - Handler 层参数校验不泄露底层细节
   - 新增错误码验证集成测试

3. 代码质量提升
   - 删除未使用的 Task handler 和路由
   - 新增代码规范检查脚本（check-service-errors.sh）
   - 新增注释路径一致性检查（check-comment-paths.sh）
   - 更新 API 文档生成指南

4. OpenSpec 归档
   - 归档 openapi-contract-alignment 变更（63 tasks）
   - 归档 service-error-unify-core 变更
   - 归档 service-error-unify-support 变更
   - 归档 code-cleanup-docs-update 变更
   - 归档 handler-validation-security 变更
   - 同步 delta specs 到主规范文件

影响范围：
- pkg/openapi: 新增 handlers.go，优化 generator.go
- internal/service/*: 48 个 service 文件错误处理统一
- internal/handler/admin: 优化参数校验错误提示
- internal/routes: 个人客户路由改造，删除 task 路由
- scripts: 新增 3 个代码检查脚本
- docs: 更新 OpenAPI 文档（15750+ 行）
- openspec/specs: 同步 3 个主规范文件

破坏性变更：无
向后兼容：是

docs/rate-limiting.md

@@ -19,6 +19,18 @@ Comprehensive guide for configuring and using the rate limiting middleware in Ju
 
 The rate limiting middleware protects your API from abuse by limiting the number of requests a client can make within a specified time window. It operates at the IP address level, ensuring each client has independent rate limits.
 
+### Coverage Scope
+
+Rate limiting is applied to the following business API route groups:
+- ✅ `/api/admin/*` - Admin management APIs
+- ✅ `/api/h5/*` - H5 client APIs
+- ✅ `/api/c/v1/*` - Personal customer APIs
+
+The following routes are **explicitly excluded** from rate limiting:
+- ❌ `/api/callback/*` - Third-party callback routes (payment, webhooks)
+- ❌ `/health` - Health check endpoint
+- ❌ `/ready` - Readiness check endpoint
+
 ### Key Features
 
 - **IP-based rate limiting**: Each client IP has independent counters
@@ -27,6 +39,7 @@ The rate limiting middleware protects your API from abuse by limiting the number
 - **Fail-safe operation**: Continues with in-memory storage if Redis fails
 - **Hot-reloadable**: Change limits without restarting server
 - **Unified error responses**: Returns 429 with standardized error format
+- **Selective coverage**: Applied only to business API routes
 
 ### How It Works
 
@@ -355,27 +368,46 @@ func main() {
     
     app := fiber.New()
     
-    // Optional: Register rate limiter middleware
+    // Optional: Apply rate limiter to business API route groups
     if config.GetConfig().Middleware.EnableRateLimiter {
-        var storage fiber.Storage = nil
+        rateLimitMiddleware := createRateLimiter(cfg, appLogger)
         
-        // Use Redis storage if configured
-        if config.GetConfig().Middleware.RateLimiter.Storage == "redis" {
-            storage = redisStorage // Assume redisStorage is initialized
-        }
+        // Admin API group
+        adminGroup := app.Group("/api/admin")
+        adminGroup.Use(rateLimitMiddleware)
         
-        app.Use(middleware.RateLimiter(
-            config.GetConfig().Middleware.RateLimiter.Max,
-            config.GetConfig().Middleware.RateLimiter.Expiration,
-            storage,
-        ))
+        // H5 API group
+        h5Group := app.Group("/api/h5")
+        h5Group.Use(rateLimitMiddleware)
+        
+        // Personal customer API group
+        personalGroup := app.Group("/api/c/v1")
+        personalGroup.Use(rateLimitMiddleware)
     }
     
-    // Register routes
-    app.Get("/api/v1/users", listUsersHandler)
+    // Health check (excluded from rate limiting)
+    app.Get("/health", healthHandler)
+    
+    // Callback routes (excluded from rate limiting)
+    callbackGroup := app.Group("/api/callback")
+    callbackGroup.Post("/payment", paymentCallbackHandler)
     
     app.Listen(":3000")
 }
+
+func createRateLimiter(cfg *config.Config, logger *zap.Logger) fiber.Handler {
+    var storage fiber.Storage = nil
+    
+    if cfg.Middleware.RateLimiter.Storage == "redis" {
+        storage = middleware.NewRedisStorage(/* ... */)
+    }
+    
+    return middleware.RateLimiter(
+        cfg.Middleware.RateLimiter.Max,
+        cfg.Middleware.RateLimiter.Expiration,
+        storage,
+    )
+}
 ```
 
 ### Custom Rate Limiter (Different Limits for Different Routes)
@@ -402,14 +434,19 @@ adminAPI.Post("/users", createUserHandler)
 ### Bypassing Rate Limiter for Specific Routes
 
 ```go
-// Apply rate limiter globally
-app.Use(middleware.RateLimiter(100, 1*time.Minute, nil))
+// Apply rate limiter to specific route groups only
+rateLimitMiddleware := middleware.RateLimiter(100, 1*time.Minute, nil)
 
-// But register health check BEFORE rate limiter
+// Business API routes (rate limited)
+adminGroup := app.Group("/api/admin")
+adminGroup.Use(rateLimitMiddleware)
+
+// Health check (excluded from rate limiting)
 app.Get("/health", healthHandler)  // Not rate limited
 
-// Alternative: Register after but add skip logic in middleware
-// (requires custom middleware modification)
+// Callback routes (excluded from rate limiting)
+callbackGroup := app.Group("/api/callback")
+callbackGroup.Post("/payment", paymentCallbackHandler)  // Not rate limited
 ```
 
 ### Testing Rate Limiter in Code