-- v0.9.1 TASK-SEC-001: Invalidate all existing JWT tokens (HS256) before RS256 migration.
-- Incrementing token_version forces re-login with new RS256 tokens.

UPDATE users SET token_version = token_version + 1;