Fix OAuth infinite redirect loop

The problem: Button observer was firing on each page load, even during OAuth callback
- When page reloads with ?code=xxx, it's a new session
- once=TRUE resets, so observer fires again
- This triggered another OAuth redirect, creating infinite loop

The fix:
- Check URL query string for 'code' parameter in button observer
- If code exists, skip redirect (we're in callback)
- Also skip showing login overlay if code is in URL
- This prevents the loop: code in URL → skip button → process auth → done

Now the flow works:
1. Click Sign in → redirect to HF OAuth
2. HF redirects back with ?code=xxx
3. Button observer sees code in URL, doesn't fire
4. JavaScript sends code to server
5. Server processes auth → hides overlay → shows user info

server.R

@@ -169,6 +169,13 @@ if 'agents.manager_agent' in sys.modules:
   observeEvent(input$hfSignInBtn, {
     req(input$hfSignInBtn)
 
+    # Check if we're in OAuth callback (code in URL)
+    query_string <- parseQueryString(session$clientData$url_search)
+    if (!is.null(query_string$code)) {
+      print("OAuth: In callback, skipping button redirect")
+      return()
+    }
+
     if (!oauth_config$enabled) {
       print("OAuth: Not enabled")
       return()
@@ -203,8 +210,16 @@ if 'agents.manager_agent' in sys.modules:
   }, ignoreInit = TRUE, once = TRUE)
 
   # Send initial auth state on session start
+  # Don't send if we're in OAuth callback (will be handled after auth completes)
   observe({
-    session$sendCustomMessage('auth_state', list(authenticated = FALSE))
+    isolate({
+      # Check if we're in OAuth callback by looking at URL parameters
+      query_string <- parseQueryString(session$clientData$url_search)
+      if (is.null(query_string$code)) {
+        # No OAuth code in URL, show login overlay
+        session$sendCustomMessage('auth_state', list(authenticated = FALSE))
+      }
+    })
   })
 
   # OAuth callback handler