diff --git a/src/context/AuthContext.jsx b/src/context/AuthContext.jsx
index 5069be4..51bd1d4 100644
--- a/src/context/AuthContext.jsx
+++ b/src/context/AuthContext.jsx
@@ -108,7 +108,7 @@ export const fetchUserProfile = async (userId) => {
     .from("users")
     .select("id, email, name, role_id, last_login, roles(name)")
     .eq("id", userId)
-    .single();
+    .maybeSingle();
   if (error || !data) return null;
   return {
     id: data.id,
@@ -119,8 +119,21 @@ export const fetchUserProfile = async (userId) => {
   };
 };
 
+/** Clear all auth state from storage — called on explicit signOut */
+const clearAllAuthStorage = () => {
+  // Clear Supabase secureStorage keys from sessionStorage
+  sessionStorage.removeItem("supersam-auth");
+  sessionStorage.removeItem("supersam-ak");
+  // Clear local auth cache from localStorage
+  localStorage.removeItem(STORAGE_KEY);
+  localStorage.removeItem("construction-auth-role-hint");
+};
+
 export const AuthProvider = ({ children }) => {
   const [user, setUser] = useState(() => {
+    // Demo mode reads from localStorage; Supabase mode always starts null
+    // (session restore happens via onAuthStateChange/getSession)
+    if (hasSupabaseConfig) return null;
     const stored = localStorage.getItem(STORAGE_KEY);
     return stored ? decodeLocalAuth(stored) : null;
   });
@@ -162,6 +175,7 @@ export const AuthProvider = ({ children }) => {
       if (error && isStaleRefreshTokenError(error)) {
         setUser(null);
         setAuthError("Сессия истекла. Войдите заново.");
+        clearAllAuthStorage();
         void supabase.auth.signOut({ scope: "local" });
         return;
       }
@@ -297,8 +311,10 @@ export const AuthProvider = ({ children }) => {
 
   const signOut = async () => {
     if (hasSupabaseConfig && supabase) {
-      await supabase.auth.signOut();
+      await supabase.auth.signOut({ scope: "local" });
     }
+    // Hard clear all auth storage so auto-login is impossible after logout
+    clearAllAuthStorage();
     setUser(null);
     setPendingEmail("");
     setIsOtpSent(false);
@@ -332,4 +348,4 @@ export const useAuth = () => {
     throw new Error("useAuth must be used within AuthProvider");
   }
   return context;
-};
+};
\ No newline at end of file
diff --git a/src/main.jsx b/src/main.jsx
index 3203f01..dd5a49f 100644
--- a/src/main.jsx
+++ b/src/main.jsx
@@ -13,13 +13,11 @@ registerPwaServiceWorker();
 initErrorLogging();
 
 ReactDOM.createRoot(document.getElementById("root")).render(
-  <React.StrictMode>
-    <ThemeProvider>
-      <AuthProvider>
-        <ErrorBoundary>
-          <RouterProvider router={router} />
-        </ErrorBoundary>
-      </AuthProvider>
-    </ThemeProvider>
-  </React.StrictMode>,
-);
+  <ThemeProvider>
+    <AuthProvider>
+      <ErrorBoundary>
+        <RouterProvider router={router} />
+      </ErrorBoundary>
+    </AuthProvider>
+  </ThemeProvider>,
+);
\ No newline at end of file