feat(tokens): allow permanent deletion of revoked tokens

Add POST /admin/tokens/{id}/delete endpoint that permanently removes
a token from the database (only if already revoked). Add delete button
in backoffice UI for revoked tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/backoffice/app/tokens/page.tsx

@@ -1,6 +1,6 @@
 import { revalidatePath } from "next/cache";
 import { redirect } from "next/navigation";
-import { listTokens, createToken, revokeToken, TokenDto } from "../../lib/api";
+import { listTokens, createToken, revokeToken, deleteToken, TokenDto } from "../../lib/api";
 import { Card, CardHeader, CardTitle, CardDescription, CardContent, Button, Badge, FormField, FormInput, FormSelect, FormRow } from "../components/ui";
 
 export const dynamic = "force-dynamic";
@@ -31,6 +31,13 @@ export default async function TokensPage({
     revalidatePath("/tokens");
   }
 
+  async function deleteTokenAction(formData: FormData) {
+    "use server";
+    const id = formData.get("id") as string;
+    await deleteToken(id);
+    revalidatePath("/tokens");
+  }
+
   return (
     <>
       <div className="mb-6">
@@ -109,7 +116,7 @@ export default async function TokensPage({
                     )}
                   </td>
                   <td className="px-4 py-3">
-                    {!token.revoked_at && (
+                    {!token.revoked_at ? (
                       <form action={revokeTokenAction}>
                         <input type="hidden" name="id" value={token.id} />
                         <Button type="submit" variant="destructive" size="sm">
@@ -119,6 +126,16 @@ export default async function TokensPage({
                           Revoke
                         </Button>
                       </form>
+                    ) : (
+                      <form action={deleteTokenAction}>
+                        <input type="hidden" name="id" value={token.id} />
+                        <Button type="submit" variant="destructive" size="sm">
+                          <svg className="w-4 h-4 mr-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
+                          </svg>
+                          Delete
+                        </Button>
+                      </form>
                     )}
                   </td>
                 </tr>

apps/backoffice/lib/api.ts

@@ -254,6 +254,10 @@ export async function revokeToken(id: string) {
   return apiFetch<void>(`/admin/tokens/${id}`, { method: "DELETE" });
 }
 
+export async function deleteToken(id: string) {
+  return apiFetch<void>(`/admin/tokens/${id}/delete`, { method: "POST" });
+}
+
 export async function fetchBooks(
   libraryId?: string,
   series?: string,