fix: handle TransientToken in logout for session-based auth

When the SPA authenticates via cookies (not Bearer token), Sanctum returns
a TransientToken from currentAccessToken() which has no delete() method.
Detect it and invalidate the session instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/Http/Controllers/Api/AuthController.php

@@ -8,7 +8,7 @@ use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\Rules\Password;
-use Laravel\Sanctum\PersonalAccessToken;
+use Laravel\Sanctum\TransientToken;
 
 class AuthController extends Controller
 {
@@ -46,9 +46,15 @@ class AuthController extends Controller
 
     public function logout(Request $request): JsonResponse
     {
-        /** @var PersonalAccessToken $token */
         $token = $request->user()->currentAccessToken();
-        $token->delete();
+
+        // TransientToken means session-based auth (no Bearer token) — invalidate session instead
+        if ($token instanceof TransientToken) {
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+        } else {
+            $token->delete();
+        }
 
         return response()->json(['message' => 'Logged out.']);
     }