Two defensive layers complementing the RP-Initiated Logout in 82e25933:
1. cameleer:signed_out sessionStorage flag (set in auth-store.logout,
read+cleared in LoginPage on mount) renders a 'You have been signed
out successfully' card with an explicit 'Sign in again' button.
Mirrors the cameleer-saas pattern.
2. prompt=login on the OIDC authorization redirect forces the IdP to
re-prompt for credentials even if its session cookie somehow
survived RP-Initiated Logout (proxy, race, misconfigured
post_logout_redirect_uri). OIDC Core 1.0 §3.1.2.1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
32c8786d06