feat: Step 1 always resets session state

Navigating to Step 1 (via stepper, direct link, or browser back) now
clears the token store and session — identical to clicking Reset.
This prevents stale user/token state from a previous flow run.

src/routes/demo.py

@@ -141,7 +141,14 @@ async def step1(request: Request):
     Fetches an app-level token with scope 'user:create,authorization:grant'.
     Docs: https://docs.tink.com/api#connectivity/oauth/create-an-oauth-token
     """
-    sess = _session(request)
+    # Step 1 always starts a clean session — equivalent to reset
+    old_sid = request.session.get("demo", {}).get("sid", "")
+    if old_sid:
+        _token_store.pop(old_sid, None)
+        _callback_locks.pop(old_sid, None)
+    request.session.pop("demo", None)
+
+    sess = _session(request)  # creates a fresh demo dict with a new sid
     client = _client(log_cb=_logger(sess))
     s = get_settings()
     error = None