Clear session cookie when account signals logout via inbox

Check did_auth:{device_id} in Redis — if absent while user has
a session cookie, account has logged out. Clear the cookie so
next request triggers prompt=none which won't re-auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/__init__.py

@@ -72,8 +72,21 @@ def create_app() -> FastAPI:
         ):
             return await call_next(request)
 
-        # Already logged in
+        # Already logged in — but verify account hasn't logged out
         if get_user_from_cookie(request):
+            device_id = getattr(request.state, "device_id", None)
+            if device_id:
+                try:
+                    from .dependencies import get_redis_client
+                    r = get_redis_client()
+                    if not r.get(f"did_auth:{device_id}"):
+                        # Account logged out — clear our cookie
+                        response = await call_next(request)
+                        response.delete_cookie("artdag_session")
+                        response.delete_cookie("pnone_at")
+                        return response
+                except Exception:
+                    pass
             return await call_next(request)
 
         # Check cooldown — don't re-check within 5 minutes