test: 增强 handler/middleware 测试覆盖并优化错误分类

测试增强：
- handler_test.go: 大幅增强 handler 集成测试（+1284/-98 行）
- theme_handler_test.go: 增强主题管理测试（+174/-22 行）
- auth_bootstrap_test.go: 新增 bootstrap 认证测试（+329 行）
- ratelimit_test.go: 新增限流中间件测试（+153 行）
- runtime_test.go: 新增运行时中间件测试（+351 行）

错误处理：
- auth_handler.go: classifyErrorMessage 增加 TOTP 错误码和 2FA 状态字分类

清理：
- 删除覆盖率报告残留文件（coverage_issue, handler, middleware 等）
- 归档 docs/superpowers/plans/2026-05-09-middleware-test-backfill-phase1.md

internal/api/handler/auth_handler.go

@@ -784,13 +784,17 @@ func classifyErrorMessage(msg string) int {
 		return http.StatusNotFound
 	case contains(lower, "already exists", "已存在", "已注册", "duplicate"):
 		return http.StatusConflict
+	case contains(lower, "验证码错误", "验证码或恢复码错误", "verification code", "recovery code"):
+		return http.StatusUnauthorized
 	case contains(lower, "unauthorized", "invalid token", "token", "令牌", "未认证"):
 		return http.StatusUnauthorized
 	case contains(lower, "forbidden", "permission", "权限", "禁止"):
 		return http.StatusForbidden
+	case contains(lower, "2fa 已", "2fa 未", "请先初始化 2fa", "已启用", "未启用"):
+		return http.StatusBadRequest
 	case contains(lower, "invalid", "required", "must", "cannot be empty", "不能为空",
 		"格式", "参数", "密码不正确", "incorrect", "wrong", "too short", "too long",
-		"已失效", "expired", "验证码不正确", "不能与"):
+		"已失效", "expired", "验证码不正确", "不能与", "不能删除自己", "不能删除最后一个管理员"):
 		return http.StatusBadRequest
 	case contains(lower, "locked", "too many", "账号已被锁定", "rate limit"):
 		return http.StatusTooManyRequests