fix(auth): enforce single-session with DB tokenVersion + heartbeat detection

Move single-session invalidation from cache-based token version checks to a database-backed, atomic tokenVersion flow to eliminate concurrent login race conditions. Add a global auth heartbeat (visibility-aware) so kicked sessions are detected within ~10s when the page is visible.

Made-with: Cursor

backend/prisma/migrations/20260309_add_token_version_to_platform_users/migration.sql

@@ -0,0 +1,3 @@
+-- 单设备登录强一致：将 token_version 下沉到数据库，避免缓存竞态
+ALTER TABLE "platform_schema"."users"
+ADD COLUMN IF NOT EXISTS "token_version" INTEGER NOT NULL DEFAULT 0;

backend/prisma/schema.prisma

@@ -42,6 +42,7 @@ model User {
   trialEndsAt         DateTime?        @map("trial_ends_at")
   isTrial             Boolean          @default(true) @map("is_trial")
   lastLoginAt         DateTime?        @map("last_login_at")
+  tokenVersion        Int              @default(0) @map("token_version")
   createdAt           DateTime         @default(now()) @map("created_at")
   updatedAt           DateTime         @updatedAt @map("updated_at")
   tenant_members      tenant_members[]