fix: logout now properly cleans up session tokens

- Deletes current token AND tokens replaced by it
- Cleans up all expired tokens on logout
- Prevents stale sessions from showing on dashboard after re-login

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/services/auth.ts

@@ -224,7 +224,23 @@ export async function refreshAccessToken(
 
 export async function logout(refreshTokenRaw: string): Promise<void> {
   const tokenHash = hashToken(refreshTokenRaw);
-  await prisma.refresh_tokens.deleteMany({ where: { token_hash: tokenHash } });
+  // Delete the current token
+  const token = await prisma.refresh_tokens.findFirst({ where: { token_hash: tokenHash } });
+  if (token) {
+    // Delete the current token and all replaced tokens in its chain
+    await prisma.refresh_tokens.deleteMany({
+      where: {
+        OR: [
+          { token_hash: tokenHash },
+          { replaced_by_hash: tokenHash },
+        ],
+      },
+    });
+  }
+  // Clean up expired tokens for all users
+  await prisma.refresh_tokens.deleteMany({
+    where: { expires_at: { lt: new Date() } },
+  });
 }
 
 export async function verifyAccessToken(token: string): Promise<AuthData | null> {