fix(device-agent): encode redirect params + make performLogout self-contained

- URL-encode code and state in device-callback redirect
- Move clearAuth() into performLogout so logout is self-contained
- Remove redundant clearAuth() calls from all call sites in index.ts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tofikwest

apps/portal/src/app/(public)/auth/device-callback/page.tsx

@@ -47,7 +47,8 @@ export default function DeviceCallbackPage() {
         const { code } = await response.json();
 
         // Redirect to the device agent's localhost server
-        window.location.href = `http://localhost:${port}/auth-callback?code=${code}&state=${state}`;
+        window.location.href = `http://localhost:${port}/auth-callback?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state!)}`;
+
         setStatus('success');
       } catch (err) {
         console.error('Device auth callback failed:', err);

packages/device-agent/src/main/auth.ts

@@ -10,7 +10,7 @@ import type {
   StoredAuth,
 } from '../shared/types';
 import { log } from './logger';
-import { getPortalUrl, setAuth } from './store';
+import { clearAuth, getPortalUrl, setAuth } from './store';
 
 /** How long to wait for the user to complete login in the browser */
 const LOGIN_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
@@ -299,8 +299,8 @@ function errorPage(message: string): string {
 }
 
 /**
- * Sign out: clear stored auth (no more Electron session cookies to manage)
+ * Sign out: clear stored auth data
  */
 export async function performLogout(): Promise<void> {
-  // Nothing to clean up — stored auth is cleared by the caller via clearAuth()
+  clearAuth();
 }

packages/device-agent/src/main/index.ts

@@ -14,7 +14,7 @@ import {
   startScheduler,
   stopScheduler,
 } from './scheduler';
-import { clearAuth, getAuth, getLastCheckResults } from './store';
+import { getAuth, getLastCheckResults } from './store';
 import {
   createTray,
   destroyTray,
@@ -64,7 +64,6 @@ setSessionExpiredHandler(async () => {
   log('Session expired — clearing auth and prompting re-login');
   stopScheduler();
   await performLogout();
-  clearAuth();
   currentResults = [];
   setStatus('unauthenticated');
   notifyRenderer(IPC_CHANNELS.AUTH_STATE_CHANGED, false);
@@ -77,7 +76,6 @@ setDevicesNotFoundHandler(async () => {
   log('All devices returned 404 — clearing auth and re-registering');
   stopScheduler();
   await performLogout();
-  clearAuth();
   currentResults = [];
   setStatus('unauthenticated');
   notifyRenderer(IPC_CHANNELS.AUTH_STATE_CHANGED, false);
@@ -128,7 +126,6 @@ const trayCallbacks = {
     log('User signing out');
     stopScheduler();
     await performLogout();
-    clearAuth();
     currentResults = [];
     setStatus('unauthenticated');
     notifyRenderer(IPC_CHANNELS.AUTH_STATE_CHANGED, false);
@@ -179,7 +176,6 @@ ipcMain.handle(IPC_CHANNELS.LOGOUT, async () => {
   log('Logout via IPC');
   stopScheduler();
   await performLogout();
-  clearAuth();
   currentResults = [];
   setStatus('unauthenticated');
   notifyRenderer(IPC_CHANNELS.AUTH_STATE_CHANGED, false);