Sign-in race wipes own credentials when browser is already logged into rize.io

**Environment**: Rize Windows `app-2.3.7` (Jan 28 2026 build), Windows 11 Pro 26200

## Repro (100%)

1. Be already signed in to rize.io in your default browser (Google SSO session active).
2. Open the Windows app and click **Sign in**.
3. Browser opens `https://app.rize.io/auth/electron` and — because you're already authed — instantly redirects to `rize://auth/?token=...` with **no user interaction in between**.

## Actual

The protocol handler spawns **two** `Rize.exe` instances; both POST the same one-time token to `/auth/magic-link/request`. First succeeds and stores credentials; second gets `Invalid token` and the error handler wipes the credentials the first instance just stored. App ends up unauthenticated (`%APPDATA%\Rize\config.json` → `authCredentials: null`) and shows the sign-in error dialog.

## Workaround

Sign out from rize.io in the browser first, then sign in from the desktop app. The Google OAuth click-through gives the desktop process enough time for its single-instance lock to bind, so the eventual `rize://` callback only spawns one instance.

## Log (`%APPDATA%\Rize\logs\main.log`, 2026-05-06 00:04:54–55)

```
00:04:54.120 [Router] Handling url: rize://auth/?token=63c7bHZGoiVRbmTfdwV-
00:04:54.150 POST /auth/magic-link/request
00:04:55.031 [Router] Handling url: rize://auth/?token=63c7bHZGoiVRbmTfdwV-   ← 2nd instance, same token
00:04:55.035 POST /auth/magic-link/request
00:04:55.084 [Auth] Authentication successful → Storing credentials → Setting cookies
00:04:55.657 [error] Authentication error: Invalid token.
00:04:55.664 [Auth] Resetting credentials
00:04:55.674 [Cookies] Clearing auth credentials   ← wipes credentials stored 0.59s earlier
```

Full log excerpt attached as `rize-main-log-excerpt.log`.