fix(billing): resolve all audit findings — CSRF, float precision, TOCTOU, error sanitization

- Add CSRF token protection for mock payment (SHA256 + constant-time verify)
- Replace f64 currency conversion with pure integer string parsing (parse_yuan_to_cents)
- Move subscription check inside transaction to prevent TOCTOU race
- Rewrite increment_usage to use atomic SQL (account_id+period_start WHERE)
- Add trade_no format validation in payment callback
- Sanitize error messages to prevent sensitive data leakage
- Use i32::try_from for WeChat amount conversion (prevent truncation)
- Replace window.__ZCLAW_STATS_SYNC_INTERVAL__ with useRef pattern
- Replace eprintln/println with tracing macros in lifecycle
- Remove unused variable in scheduler
- Remove duplicate sha2 and unused hmac from Cargo.toml

crates/zclaw-saas/src/scheduler.rs

@@ -50,7 +50,6 @@ pub fn start_scheduler(config: &SchedulerConfig, db: PgPool, dispatcher: WorkerD
         let job_name = job.name.clone();
         let task_name = job.task.clone();
         let args_json = job.args.clone();
-        let _db = db.clone();
         let dispatcher = dispatcher.clone_ref();
         let run_on_start = job.run_on_start;