fix: force fresh OIDC sign-in after onboarding to pick up new org membership

After creating a tenant, the existing Logto tokens don't include the new
org membership/scopes. A hard page reload reused stale tokens, causing
the SDK to either lose auth state (redirect loop to login) or fail to
resolve org scopes (falling through to server UI instead of tenant UI).

Replace window.location.href with signIn() to trigger a fresh OIDC flow.
The existing Logto session cookie means auto-approval — no login form.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/pages/OnboardingPage.tsx

@@ -1,4 +1,5 @@
 import { useState, useEffect, useRef } from 'react';
+import { useLogto } from '@logto/react';
 import { Card, Input, Button, FormField, Alert } from '@cameleer/design-system';
 import cameleerLogo from '@cameleer/design-system/assets/cameleer-logo.svg';
 import { api } from '../api/client';
@@ -13,6 +14,7 @@ interface TenantResponse {
 }
 
 export function OnboardingPage() {
+  const { signIn } = useLogto();
   const [name, setName] = useState('');
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
@@ -48,9 +50,11 @@ export function OnboardingPage() {
     setLoading(true);
     try {
       await api.post<TenantResponse>('/onboarding/tenant', { name, slug });
-      // Tenant created — force a full page reload so the Logto SDK
-      // picks up the new org membership and scopes on the next token refresh.
-      window.location.href = '/platform/';
+      // Tenant created — force a fresh OIDC sign-in so the Logto SDK gets
+      // new tokens that include the org membership just created. The existing
+      // Logto session cookie means the user won't see a login form — Logto
+      // auto-approves and redirects back with fresh tokens.
+      await signIn(`${window.location.origin}/platform/callback`);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       if (msg.includes('409')) {