fix: P0-01/P1-01/P1-03 — account lockout, token revocation, optional display_name

- P0-01: Account lockout now enforced via SQL-level comparison
  (locked_until > NOW()) instead of broken RFC3339 text parsing
- P1-01: Logout handler accepts JSON body with optional refresh_token,
  revokes ALL refresh tokens for the account (not just current)
- P1-03: Provider display_name is now optional, falls back to name

All 6 smoke tests pass (S1-S6).

crates/zclaw-saas/src/model_config/service.rs

@@ -89,11 +89,13 @@ pub async fn create_provider(db: &PgPool, req: &CreateProviderRequest, enc_key:
         String::new()
     };
 
+    let display_name = req.display_name.as_deref().unwrap_or(&req.name);
+
     sqlx::query(
         "INSERT INTO providers (id, name, display_name, api_key, base_url, api_protocol, enabled, rate_limit_rpm, rate_limit_tpm, created_at, updated_at)
          VALUES ($1, $2, $3, $4, $5, $6, true, $7, $8, $9, $9)"
     )
-    .bind(&id).bind(&req.name).bind(&req.display_name).bind(&encrypted_api_key)
+    .bind(&id).bind(&req.name).bind(display_name).bind(&encrypted_api_key)
     .bind(&req.base_url).bind(&req.api_protocol).bind(&req.rate_limit_rpm).bind(&req.rate_limit_tpm).bind(&now)
     .execute(db).await.map_err(|e| SaasError::from_sqlx_unique(e, &format!("Provider '{}'", req.name)))?;
 

crates/zclaw-saas/src/model_config/types.rs

@@ -21,7 +21,7 @@ pub struct ProviderInfo {
 #[derive(Debug, Deserialize)]
 pub struct CreateProviderRequest {
     pub name: String,
-    pub display_name: String,
+    pub display_name: Option<String>,
     pub base_url: String,
     #[serde(default = "default_protocol")]
     pub api_protocol: String,