Grant-based session revocation, remove iframe logout

Account creates OAuthGrant per authorization, revokes on logout.
Client apps verify grants via /auth/internal/verify-grant endpoint.
Removes iframe-based logout page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

templates/auth/signing_out.html

@@ -1,21 +0,0 @@
-{% extends "_types/root/_index.html" %}
-{% block meta %}{% endblock %}
-{% block title %}Signing out — Rose Ash{% endblock %}
-{% block content %}
-<div class="py-8 max-w-md mx-auto text-center">
-  <h1 class="text-2xl font-bold mb-4">Signing out&hellip;</h1>
-  <p class="text-stone-500 text-sm">You will be redirected shortly.</p>
-</div>
-
-{# Fire-and-forget: clear each client app's session via hidden iframes #}
-{% for url in clear_urls %}
-<iframe src="{{ url }}" style="display:none" aria-hidden="true"></iframe>
-{% endfor %}
-
-<script>
-  // Give iframes a moment to load, then redirect
-  setTimeout(function() {
-    window.location.href = "{{ final_url }}";
-  }, 1500);
-</script>
-{% endblock %}