Destroy owned sandboxes on user disable and fix OAuth login resilience

When an admin disables a user, all active sandboxes (running, paused,
hibernated) for teams they own are now destroyed and their API keys
are deleted. User queries now filter by status column instead of
deleted_at, so re-enabling a user always works. OAuth login paths
use ensureDefaultTeam to auto-create a team if the user has none,
matching the email/password login behavior.

db/queries/teams.sql

@@ -86,6 +86,14 @@ WHERE ut.user_id = $1
       WHERE ut2.team_id = t.id AND ut2.user_id <> $1
   );
 
+-- name: GetOwnedTeamIDs :many
+-- Returns team IDs where the given user has the 'owner' role.
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL;
+
 -- name: CountTeamsAdmin :one
 SELECT COUNT(*)::int AS total
 FROM teams