Harden auth and outbound admin surfaces

frontend/app/ui/HeaderIdentity.tsx

@@ -1,7 +1,7 @@
 'use client'
 
 import { useEffect, useState } from 'react'
-import { authFetch, clearToken, getApiBase, getToken } from '../lib/auth'
+import { authFetch, clearToken, getApiBase, getToken, logout } from '../lib/auth'
 
 export default function HeaderIdentity() {
   const [identity, setIdentity] = useState<{ username: string; role?: string } | null>(null)
@@ -49,7 +49,8 @@ export default function HeaderIdentity() {
 
   const label = `${identity.username}${identity.role ? ` (${identity.role})` : ''}`
   const initial = identity.username.slice(0, 1).toUpperCase()
-  const signOut = () => {
+  const signOut = async () => {
+    await logout().catch(() => undefined)
     clearToken()
     if (typeof window !== 'undefined') {
       window.location.href = '/login'
@@ -83,7 +84,7 @@ export default function HeaderIdentity() {
             <a href="/changelog" onClick={() => setOpen(false)}>
               Changelog
             </a>
-            <button type="button" className="signed-in-signout" onClick={signOut}>
+            <button type="button" className="signed-in-signout" onClick={() => void signOut()}>
               Sign out
             </button>
           </div>