fix(saas): 3 项 P0 安全/功能修复 + TRUTH.md 数字校准

P0-01: Admin ApiKeys 创建功能前后端不匹配
- 前端 service 从 /keys 改回 /tokens（api_tokens 表）
- 前端 UI 字段 {name, expires_days, permissions} 与旧路由匹配

P0-02: 账户锁定检查错误处理
- unwrap_or(false) 改为 map_err + SaasError 传播
- SQL 查询失败时返回错误而非静默跳过锁定检查

P0-03: Logout refresh token 撤销增强
- 新增 access token cookie fallback 提取 account_id
- Tauri 桌面端 Bearer auth 场景下也能撤销 refresh token

TRUTH.md 校准: Tauri 183→190, invoke 95→104, .route() 136→137, 中间件 15→14

admin-v2/src/services/api-keys.ts

@@ -1,13 +1,15 @@
 import request, { withSignal } from './request'
 import type { TokenInfo, CreateTokenRequest, PaginatedResponse } from '@/types'
 
+// 使用 /tokens 路由 (api_tokens 表)，前端 UI 字段 {name, expires_days, permissions} 与此后端匹配
+// 注: /keys 路由 (account_api_keys 表) 需要 {provider_id, key_value}，属于不同的 Key 管理系统
 export const apiKeyService = {
   list: (params?: Record<string, unknown>, signal?: AbortSignal) =>
-    request.get<PaginatedResponse<TokenInfo>>('/keys', withSignal({ params }, signal)).then((r) => r.data),
+    request.get<PaginatedResponse<TokenInfo>>('/tokens', withSignal({ params }, signal)).then((r) => r.data),
 
   create: (data: CreateTokenRequest, signal?: AbortSignal) =>
-    request.post<TokenInfo>('/keys', data, withSignal({}, signal)).then((r) => r.data),
+    request.post<TokenInfo>('/tokens', data, withSignal({}, signal)).then((r) => r.data),
 
   revoke: (id: string, signal?: AbortSignal) =>
-    request.delete(`/keys/${id}`, withSignal({}, signal)).then((r) => r.data),
+    request.delete(`/tokens/${id}`, withSignal({}, signal)).then((r) => r.data),
 }