CORR-20: guard tzinfo on refresh-token expiry compare

Unconditional .replace(tzinfo=timezone.utc) would mislabel a non-UTC
aware datetime. Now only assume UTC when expires_at is naive, matching
the scout_runner pattern. 3 refresh tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

api/app/api/routes/auth.py

@@ -202,7 +202,14 @@ async def refresh(
     rt = result.scalar_one_or_none()
 
     now = datetime.now(timezone.utc)
-    if rt is None or rt.expires_at.replace(tzinfo=timezone.utc) < now:
+    rt_exp = None
+    if rt is not None:
+        rt_exp = (
+            rt.expires_at
+            if rt.expires_at.tzinfo is not None
+            else rt.expires_at.replace(tzinfo=timezone.utc)
+        )
+    if rt is None or rt_exp < now:
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid or expired refresh token")
 
     # Rotate: delete old token, issue new one.