🌐 fix: Preserve URL Query Params Through Auth Refresh and Conversation Init (#12028)

* 🔗 fix: Preserve URL query params during silent token refresh

The silent token refresh on hard navigation was redirecting to '/c/new'
without query params, wiping the URL before ChatRoute could read them.
Now preserves the current URL (pathname + search) as the redirect
fallback, with isSafeRedirect validation.

* 🧭 fix: Apply URL query params in ChatRoute initialization

ChatRoute now reads URL search params (endpoint, model, agent_id, etc.)
and merges them into the preset passed to newConversation(), so the
first conversation init already includes the URL param settings. This
eliminates the race where useQueryParams fired too late.

- Export processValidSettings from useQueryParams for reuse
- Add getNewConvoPreset helper in ChatRoute (used in both NEW_CONVO branches)
- Query params take precedence over model spec defaults
- useQueryParams now waits for endpointsConfig before processing
- Skip redundant newQueryConvo when settings are already applied
- Clean all URL params via setSearchParams after processing

* ✅ test: Update useQueryParams tests for new URL cleanup behavior

- Assert setSearchParams called instead of window.history.replaceState
- Mock endpoints config in deferred submission and timeout tests

* ♻️ refactor: Move processValidSettings to ~/utils and address review findings

- Move processValidSettings/parseQueryValue to createChatSearchParams.ts
  (pure utility, not hook-specific)
- Fix processSubmission: use setSearchParams instead of replaceState,
  move URL cleanup outside data.text guard
- Narrow endpointsConfig guard: only block settings application, not
  prompt-only flows
- Convert areSettingsApplied to stable useCallback ([] deps) with
  conversationRef to avoid interval churn on conversation updates
- Replace console.log with logger.log in production paths
- Restore explanatory comment on pendingSubmitRef guard
- Use for...of in processValidSettings (CLAUDE.md preference)
- Remove unused imports from useQueryParams

* 🔧 fix: Add areSettingsApplied to effect deps and fix test mocks

- Restore areSettingsApplied in main effect deps (stable identity with
  [] deps, safe to include — satisfies exhaustive-deps lint rule)
- Fix all test getQueryData mocks to properly distinguish between
  startupConfig and endpoints keys
- Assert setSearchParams call arguments (URLSearchParams + replace:true)

* ✅ test: Assert empty URLSearchParams in setSearchParams calls

Tighten setSearchParams assertions to verify the params are empty
(toString() === ''), not just that a URLSearchParams instance was passed.

* 🔧 test: Update AuthContext tests to navigate to current URL for redirects

- Modified test cases to assert navigation to the current URL instead of a hardcoded '/c/new' when no stored redirect exists or when falling back from unsafe stored redirects.
- Enhanced test setup to define window.location for accurate simulation of redirect behavior.

client/src/hooks/__tests__/AuthContext.spec.tsx

@@ -313,8 +313,12 @@ describe('AuthContextProvider — silentRefresh post-login redirect', () => {
     jest.useRealTimers();
   });
 
-  it('navigates to /c/new when no stored redirect exists', () => {
+  it('navigates to current URL when no stored redirect exists', () => {
     jest.useFakeTimers();
+    Object.defineProperty(window, 'location', {
+      value: { ...window.location, pathname: '/c/new', search: '' },
+      writable: true,
+    });
 
     renderProviderLive();
 
@@ -361,8 +365,12 @@ describe('AuthContextProvider — silentRefresh post-login redirect', () => {
     jest.useRealTimers();
   });
 
-  it('falls back to /c/new for unsafe stored redirect', () => {
+  it('falls back to current URL for unsafe stored redirect', () => {
     jest.useFakeTimers();
+    Object.defineProperty(window, 'location', {
+      value: { ...window.location, pathname: '/c/new', search: '' },
+      writable: true,
+    });
     sessionStorage.setItem(SESSION_KEY, 'https://evil.com/steal');
 
     renderProviderLive();