fix(saas): P0-2/P0-3 — usage endpoint + refresh token type mismatch

P0-2: GET /usage 500 "text >= timestamptz" — usage_records.created_at
is TEXT in actual DB despite migration declaring TIMESTAMPTZ. Fixed by
using dynamic SQL with ::timestamptz explicit casts for all date
comparisons, avoiding sqlx NULL-without-type-OID binding issues.

P0-3: POST /auth/refresh 500 — refresh_tokens.expires_at/used_at are
TEXT columns. Added ::timestamptz cast to SQL queries in auth handlers
and cleanup worker.

crates/zclaw-saas/src/auth/handlers.rs

@@ -331,7 +331,7 @@ pub async fn refresh(
 
     // 3. 从 DB 查找 refresh token，确保未被使用
     let row: Option<(String,)> = sqlx::query_as(
-        "SELECT account_id FROM refresh_tokens WHERE jti = $1 AND used_at IS NULL AND expires_at > $2"
+        "SELECT account_id FROM refresh_tokens WHERE jti = $1 AND used_at IS NULL AND expires_at::timestamptz > $2"
     )
     .bind(jti)
     .bind(&chrono::Utc::now())
@@ -567,7 +567,7 @@ async fn cleanup_expired_refresh_tokens(db: &sqlx::PgPool) -> SaasResult<()> {
     let now = chrono::Utc::now();
     // 删除过期超过 30 天的已使用 token (减少 DB 膨胀)
     sqlx::query(
-        "DELETE FROM refresh_tokens WHERE (used_at IS NOT NULL AND used_at < $1) OR (expires_at < $1)"
+        "DELETE FROM refresh_tokens WHERE (used_at IS NOT NULL AND used_at::timestamptz < $1) OR (expires_at::timestamptz < $1)"
     )
     .bind(&now)
     .execute(db).await?;