fix(cli-auth): ensure fallback token renders before redirect on Windows/Chrome

[Th3Ya0vi]

Summary

Fixes #1469 — CLI login callback does not complete after GitHub sign-in on Windows/Chrome.

Root cause: setToken() (a React state update, batched/async) and window.location.assign() (synchronous navigation) were called back-to-back in the same microtask. React's batching meant the fallback token UI was never rendered before the navigation fired.

On Windows/Chrome, when window.location.assign("http://127.0.0.1:PORT/…") fails — for example because the CLI's local server already shut down (ERR_CONNECTION_REFUSED) or Chrome's HTTPS-first mode interferes — Chrome replaces the current page with an error screen. Since the token had not rendered yet, users were left on Chrome's error page with no way to recover.

Fix:

• Use flushSync() from react-dom to render the token and callback URL synchronously before calling window.location.assign(). The token is guaranteed to be on screen before any navigation attempt.
• Add a callbackUrl state so the rendered fallback also includes a "Retry redirect to CLI" link — useful if the user navigates back to the page or the auto-redirect was silently swallowed.
• Improve the fallback copy instructions to mention clawhub login --token <token>.

Test plan

• Normal flow (CLI server still running): sign in with GitHub, CLI receives token automatically — no visible change.
• Failed redirect flow (CLI server shut down): token and "Retry redirect to CLI" link are visible on screen before Chrome shows any error. User can copy the token manually.
• Retry link: clicking "Retry redirect to CLI" re-attempts the localhost redirect.
• Existing AppProviders tests still pass (bun run test).

🤖 Generated with Claude Code

[vercel]

@Th3Ya0vi is attempting to deploy a commit to the 0xBuns Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR fixes a Windows/Chrome-specific CLI login regression where window.location.assign() fired before React had a chance to flush the fallback token to the DOM. The fix wraps the three state updates in flushSync() so the token, callback URL, and status are synchronously committed before navigation is attempted, and adds a "Retry redirect to CLI" link plus improved copy instructions for the manual-recovery path.

Confidence Score: 5/5

Safe to merge — targeted, well-scoped fix with no logic or security regressions.

flushSync is used correctly in a post-await async context (not during render), the existing isAllowedRedirectUri guard still protects the redirect URI and the retry link, shadowing of the local callbackUrl variable is intentional and correct, and error-path state is handled properly. No P0/P1 findings.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(cli-auth): ensure fallback token ren..." | Re-trigger Greptile}