fix(auth): enforce single-session with DB tokenVersion + heartbeat detection

Move single-session invalidation from cache-based token version checks to a database-backed, atomic tokenVersion flow to eliminate concurrent login race conditions. Add a global auth heartbeat (visibility-aware) so kicked sessions are detected within ~10s when the page is visible.

Made-with: Cursor

backend/prisma/migrations/20260309_add_token_version_to_platform_users/migration.sql

@@ -0,0 +1,3 @@
+-- 单设备登录强一致：将 token_version 下沉到数据库，避免缓存竞态
+ALTER TABLE "platform_schema"."users"
+ADD COLUMN IF NOT EXISTS "token_version" INTEGER NOT NULL DEFAULT 0;