refactor(P0): JWT 认证、并发安全、错误日志三项安全加固

- 新增 JWT httpOnly cookie 认证链路 (jose)，登录/注册签发 token，
  所有用户和盲盒 API 改为从 cookie 提取 userId，不再信任客户端传值
- 新增 /api/auth/logout 端点清除认证 cookie
- GET /api/user 区分 owner/非 owner，非 owner 不暴露 email
- atomicUpdateRoom 新增 per-room 应用层互斥锁，防止 SQLite 下并发 lost update
- 修复 getRoomData 中 fire-and-forget delete 改为 await
- 37 个静默 catch 块跨 17 个文件添加 console.error 日志
- 新增 REFACTOR_PLAN.md 全景分析文档

src/lib/ai.ts

@@ -132,7 +132,8 @@ export async function tagIdea(content: string): Promise<IdeaTags | null> {
       searchQuery: parsed.searchQuery,
       searchType: parsed.searchType,
     };
-  } catch {
+  } catch (e) {
+    console.error("tagIdea failed:", e);
     return null;
   }
 }
@@ -170,7 +171,8 @@ export async function suggestIdeas(existingIdeas: string[]): Promise<string[]> {
     return parsed.suggestions
       .filter((s: unknown) => typeof s === "string" && s.length > 0)
       .slice(0, 4);
-  } catch {
+  } catch (e) {
+    console.error("suggestIdeas failed:", e);
     return [];
   }
 }
@@ -236,7 +238,8 @@ ${Object.entries(ctx.candidates)
       })),
       summary: String(parsed.summary ?? ""),
     };
-  } catch {
+  } catch (e) {
+    console.error("generateSchedule failed:", e);
     return null;
   }
 }
@@ -284,7 +287,8 @@ export async function refinePlan(
     })) return null;
 
     return result as import("@/types").WeekendPlanData[];
-  } catch {
+  } catch (e) {
+    console.error("refinePlan failed:", e);
     return null;
   }
 }
@@ -337,7 +341,8 @@ export async function suggestAlternativeItems(
           typeof (a as Record<string, unknown>).searchQuery === "string",
       )
       .slice(0, 3) as Array<{ activity: string; searchQuery: string; reason: string }>;
-  } catch {
+  } catch (e) {
+    console.error("suggestAlternativeItems failed:", e);
     return null;
   }
 }
@@ -437,7 +442,8 @@ export async function runAgentLoop(
       let args: Record<string, unknown>;
       try {
         args = JSON.parse(toolCall.function.arguments);
-      } catch {
+      } catch (e) {
+        console.error("runAgentLoop: failed to parse tool arguments:", e);
         args = {};
       }