logout() proper fix: revoke backend + clear ALL session keys

Old logout() was demo placeholder:
- only cleared 'app-role' + 'jwt' (NOT pgz_access/refresh/user)
- did NOT call POST /auth/logout to revoke JWT
- redirected to /static/sport2.html (wrong)

New logout() now:
1. POST /auth/logout to revoke JWT server-side
2. Clear ALL keys: pgz_access, pgz_refresh, pgz_user, app-role, jwt, access_token, refresh_token, pgz_session_id (both localStorage + sessionStorage)
3. Redirect to /login

Verified by Playwright E2E: token absent after logout.

static/app.html

@@ -749,14 +749,23 @@ function navTo(id){
   $$('.nav-i').forEach(el => el.classList.toggle('active', el.dataset.id===id));
   loadSection();
 }
-function logout(){
+async function logout(){
   if(!confirm('Odjava iz aplikacije?')) return;
-  try {
-    localStorage.removeItem('app-role');
-    localStorage.removeItem('jwt');
-  } catch(e){}
-  alert('Odjavljen. (Production: redirect na /login)');
-  window.location.href = '/static/sport2.html';
+  // Call backend to revoke JWT
+  try{
+    const tok = getToken();
+    if(tok){
+      await fetch(API+'/auth/logout', {
+        method:'POST',
+        headers:{'Authorization':'Bearer '+tok}
+      }).catch(()=>{});
+    }
+  }catch(e){}
+  // Clear ALL session keys (not just demo placeholders)
+  ['pgz_access','pgz_refresh','pgz_user','app-role','jwt','access_token','refresh_token','pgz_session_id'].forEach(k => {
+    try{localStorage.removeItem(k); sessionStorage.removeItem(k);}catch(e){}
+  });
+  window.location.href = '/login';
 }
 
 //=========== SECTION TITLES ===========