fix(logseq-cli): flush OAuth callback response before settling login

The rewritten OCaml CLI resolves effects synchronously: cli/lib/platform/node/cli_effect.ml
wakeup invokes each bound callback inline. login_callback_server's on_request settled the
login task with finish (Ok result) before write_head/end_, so on the synchronous result
paths (state mismatch, missing code, oauth error) the whole login continuation ran up to
cli/bin/main.ml's exit on the same stack and the process terminated before the response
flushed. logseq-cli-login-callback then failed with "curl: (52) Empty reply from server"
despite the patch already binding 127.0.0.1. The success path was spared only because the
authorization-code exchange is async and deferred the exit.

Write the response first and call finish from the end_ completion callback, so the login
task settles after the response is handed to the socket. The dual-family loopback bind
(127.0.0.1 and ::1) stays: upstream still binds only the first dns.lookup result. Patch
rationale consolidated into the preamble per the no-inline-comment patch convention.

Validated against logseqRev 1d1ca70d: git apply --check and patch -p1 --dry-run apply
cleanly; nix build .#checks.x86_64-linux.logseq-cli-login-callback and
.#checks.x86_64-linux.logseq-cli-help both pass.

Author: Bad3r

patches/logseq-cli-auth-bind-loopback-address-families.patch

@@ -1,43 +1,50 @@
-Bind the CLI OAuth callback server to both loopback address families.
+Serve the CLI OAuth login callback reliably on loopback.
 
-logseq-cli's Node platform binds the OAuth callback with
-Http_server.listen server port "localhost" (cli/lib/platform/node/cli_platform.ml).
-Node resolves the host with dns.lookup and binds only the first returned
-address, which is often ::1 on systems whose hosts file lists the IPv6 loopback
-first. Browsers resolve localhost independently, and browser IPv6 policy can make
-the callback connect to the other loopback family. When that happens, the OAuth
-callback never reaches the CLI, which keeps waiting until the login timeout.
+logseq-cli's Node platform login_callback_server has two defects that keep the
+browser OAuth redirect from reaching the CLI
+(cli/lib/platform/node/cli_platform.ml). First, it binds with
+Http_server.listen server port "localhost". Node resolves the host with
+dns.lookup and binds only the first returned address, which is often ::1 on
+systems whose hosts file lists the IPv6 loopback first. Browsers resolve
+localhost independently, and browser IPv6 policy can make the callback connect
+to the other loopback family, so the callback never reaches the CLI and login
+waits until the login timeout. Second, on_request settles the login task with
+finish (Ok result) before it writes the HTTP response. cli_effect.ml runs effect
+continuations synchronously (wakeup invokes each bound callback inline), so a
+result that resolves without awaiting the network (state mismatch, missing code,
+oauth error) runs the whole login continuation on the same stack up to
+cli/bin/main.ml, whose completion handler calls exit on a nonzero code. The
+process terminates before write_head/end_ flush, so the browser receives an
+empty reply (curl reports "Empty reply from server"). The success path survives
+only because the authorization-code exchange is async and defers the exit.
 
 Fix: keep the "localhost" redirect URI registered with the Cognito app client
 (auth_state.ml callback_host), but make login_callback_server bind explicit
 127.0.0.1 and ::1 listeners that share one request handler and resolver. The
 listeners stay loopback-only (no wildcard :: or omitted host), the browser may
 resolve localhost to either family, and an EAFNOSUPPORT/EADDRNOTAVAIL on one
-family is tolerated as long as the other binds.
+family is tolerated as long as the other binds. Then write the callback response
+first and call finish from the end_ completion callback, so the login task
+settles (and the process may exit) only after the response has been handed to
+the socket.
 
-Removal condition: drop this patch when upstream binds explicit loopback literals
-for both families, or switches the Cognito app client to IP-literal redirect URIs,
+Removal condition: drop this patch when upstream binds explicit loopback
+literals for both families (or switches the Cognito app client to IP-literal
+redirect URIs) and writes the callback response before settling the login task,
 in cli/lib/platform/node/cli_platform.ml. A failed strict apply in the nightly
 build or the CLI build is the drift signal.
 
 diff --git a/cli/lib/platform/node/cli_platform.ml b/cli/lib/platform/node/cli_platform.ml
-index 89478a6..2a66b95 100644
+index 89478a6..8292fbd 100644
 --- a/cli/lib/platform/node/cli_platform.ml
 +++ b/cli/lib/platform/node/cli_platform.ml
-@@ -61,11 +61,33 @@ let js_error_message exn =
+@@ -61,11 +61,26 @@ let js_error_message exn =
    | Some message when String.trim message <> "" -> message
    | _ -> "JavaScript error"
 
 +external error_code : Js.Exn.t -> string option = "code"
 +[@@mel.get] [@@mel.return { undefined_to_opt }]
 +
-+(* Bind the OAuth callback on explicit loopback literals for both address
-+   families. Node's listen(port, "localhost") resolves "localhost" via
-+   dns.lookup and binds only the first returned address (often ::1 on
-+   IPv6-first hosts); a browser that resolves localhost to the other family
-+   then never reaches the callback and login hangs until timeout. Keep the
-+   redirect URI host as "localhost" (the Cognito app client registers that
-+   exact URL) but listen on 127.0.0.1 and ::1. *)
 +let loopback_bind_hosts host =
 +  if String.equal host "localhost" then [ "127.0.0.1"; "::1" ] else [ host ]
 +
@@ -59,7 +66,7 @@ index 89478a6..2a66b95 100644
    let clear_timer () =
      match !timeout_ref with
      | None -> ()
-@@ -73,18 +95,16 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
+@@ -73,18 +88,16 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
          timeout_ref := None;
          Timer.clear_timeout timeout_handle
    in
@@ -83,18 +90,22 @@ index 89478a6..2a66b95 100644
        Cli_effect.wakeup resolver result)
    in
    let on_request request response =
-@@ -100,9 +120,7 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
+@@ -96,13 +109,10 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
+       let response_body, result =
+         handle_request { target = Http_server.target request }
+       in
+-      finish (Ok result);
        Http_server.write_head response response_body.status
          (Http_server.text_headers ());
        Http_server.end_ response response_body.body (fun[@u] () ->
 -          match !server_ref with
 -          | None -> ()
 -          | Some server -> Http_server.close_ignore server)
-+          List.iter Http_server.close_ignore !servers)
++          finish (Ok result))
    in
    let on_listening () =
      let timeout = timeout_ms timeout_span in
-@@ -120,20 +138,50 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
+@@ -120,20 +130,45 @@ let login_callback_server ~host ~port ~timeout_span ~on_listen ~handle_request =
        (fun exn ->
          finish (Error (Login_callback_server_aborted (Printexc.to_string exn))))
    in
@@ -105,16 +116,11 @@ index 89478a6..2a66b95 100644
 -    in
 -    server_ref := Some server;
 -    Http_server.on_error server (fun[@u] error ->
-+  (* Arm the timeout and open the browser once, on the first family that binds. *)
 +  let first_bind () =
 +    if not !listened then (
 +      listened := true;
 +      on_listening ())
 +  in
-+  (* If every listen attempt settles with nothing bound, the callback cannot be
-+     served on any loopback family: fail like the single-server path did. An
-+     EAFNOSUPPORT/EADDRNOTAVAIL on one family is tolerated as long as the other
-+     binds. *)
 +  let note_attempt_settled () =
 +    if !pending = 0 && !bound = 0 && not !settled then
 +      finish