Remove sso_hint cookie, add sso-clear logout chain

sso_hint on .rose-ash.com was blocked by Safari ITP — the exact
problem we're solving. Replaced with redirect chain: account logout
chains through each client app's /auth/sso-clear to clear all
first-party sessions without any cross-domain cookies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

infrastructure/oauth.py

@@ -127,16 +127,23 @@ def create_oauth_blueprint(app_name: str) -> Blueprint:
         qsession.clear()
         resp = redirect("/")
         resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
-        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
         return resp
 
+    @bp.get("/sso-clear")
+    @bp.get("/sso-clear/")
+    async def sso_clear():
+        """Clear local session, then redirect to next app in logout chain."""
+        qsession.pop(SESSION_USER_KEY, None)
+        qsession.pop("cart_sid", None)
+        next_url = request.args.get("next", "/")
+        return redirect(next_url)
+
     @bp.post("/logout")
     @bp.post("/logout/")
     async def logout():
         qsession.pop(SESSION_USER_KEY, None)
         qsession.pop("cart_sid", None)
-        qsession.pop("sso_checked", None)
-        # Redirect through account to clear the SSO session too
+        # Redirect through account to clear all app sessions
         return redirect(account_url("/auth/sso-logout/"))
 
     return bp