fix(relay): audit fixes — abort signal, model selector guard, SSE CRLF, SQL format

Addresses findings from deep code audit:

H-1: Pass abortController.signal to saasClient.chatCompletion() so
     user-cancelled streams actually abort the HTTP connection (was only
     stopping the read loop, leaving server-side SSE connection open).

H-2: ModelSelector now shows only when (!isTauriRuntime() || isLoggedIn).
     Prevents decorative model list in Tauri local kernel mode where model
     selection has no effect (violates CLAUDE.md §5.2).

M-1: Normalize CRLF to LF before SSE event boundary parsing (\n\n).
     Prevents buffer overflow when behind nginx/CDN with CRLF line endings.

M-2: SQL window_minute comparison uses to_char(NOW()-interval, format)
     instead of (NOW()-interval)::TEXT, matching the stored format exactly.

M-3: sort_candidates_by_quota uses same sliding 60s window as select_best_key.

LOW: Fix misleading invalidate_cache doc comment.

crates/zclaw-saas/src/relay/service.rs

@@ -651,7 +651,7 @@ pub async fn sort_candidates_by_quota(
                    SUM(COALESCE(pk.max_rpm, 999999) - COALESCE(uw.request_count, 0)) AS remaining_rpm
             FROM provider_keys pk
             LEFT JOIN key_usage_window uw ON pk.id = uw.key_id
-                AND uw.window_minute = to_char(date_trunc('minute', NOW()), 'YYYY-MM-DDTHH24:MI')
+                AND uw.window_minute >= to_char(NOW() - INTERVAL '1 minute', 'YYYY-MM-DDTHH24:MI')
             WHERE pk.provider_id = ANY($1)
               AND pk.is_active = TRUE
               AND (pk.cooldown_until IS NULL OR pk.cooldown_until::timestamptz <= NOW())