feat: plans export require download=1 safety valve

app/Http/Controllers/Admin/PlanController.php

@@ -22,6 +22,11 @@ class PlanController extends Controller
     {
         $this->ensurePlatformAdmin($request);
 
+        // 安全阀：必须显式声明 download=1，避免浏览器预取/误触发导致频繁导出
+        if ((string) $request->query('download', '') !== '1') {
+            abort(400, 'download=1 required');
+        }
+
         $filters = [
             'status' => trim((string) $request->query('status', '')),
             'billing_cycle' => trim((string) $request->query('billing_cycle', '')),