chore(security): purge session store on logout

src/web/session.ts

@@ -12,6 +12,7 @@ import {
 } from "@whiskeysockets/baileys";
 import qrcode from "qrcode-terminal";
 
+import { SESSION_STORE_DEFAULT } from "../config/sessions.js";
 import { danger, info, success } from "../globals.js";
 import { getChildLogger } from "../logging.js";
 import { defaultRuntime, type RuntimeEnv } from "../runtime.js";
@@ -160,6 +161,8 @@ export async function logoutWeb(runtime: RuntimeEnv = defaultRuntime) {
     return false;
   }
   await fs.rm(WA_WEB_AUTH_DIR, { recursive: true, force: true });
+  // Also drop session store to clear lingering per-sender state after logout.
+  await fs.rm(SESSION_STORE_DEFAULT, { force: true });
   runtime.log(
     success(
       "Cleared WhatsApp Web credentials. Run `warelay login --provider web` to relink.",