Summary

Fixes #296 — after a GamePass login, logging out and logging in again (GamePass) would load the wrong / empty account data, and only fully closing and reopening Beanfun.exe recovered.

Root cause

WebView2 keeps a single cookie store per user-data-folder, shared by every window for the lifetime of the host process. Session cookies (bfWebToken, ASP.NET_SessionId) have no Expires, so their lifetime is tied to the WebView2 browser session = the whole process.

• After a GamePass logout we clear AppState + the reqwest cookie jar and invalidate the server-side session, but the WebView2 cookie store is never touched.
• The next GamePass login opens a new window that still shares the old cookies, so the portal sees the lingering (now dead) bfWebToken, short-circuits the OAuth round-trip, and the harvest lifts the invalidated session.
• Restarting the .exe ends the WebView2 browser session, which is why it was the only recovery.

(The previous #287 only invalidated the prefetched account cache on game switch, which is unrelated to this WebView2 cookie persistence.)

Fix

Clear the WebView2 cookie store before seeding the fresh session cookies in open_gamepass_window, so every attempt starts from a clean, process-restart-equivalent state.

• New native COM helper clear_all_cookies_native (DeleteAllCookies).
• The clear and seed run as two separate native passes with a flush gap (clear → sleep → seed → sleep → navigate). DeleteAllCookies and AddOrUpdateCookie are both fire-and-return COM calls with no documented ordering guarantee, so fusing them into one pass risked the pending delete wiping the freshly-seeded cookies (which would reproduce the D5 "No such auth key and secret code" failure).
• Windows-only path; non-Windows keeps the existing wry set_cookie seed (the quirk is WebView2-specific and the app ships Windows-only).
• Added a per-page-load diagnostic (trace_webview_cookies) that logs the WebView's cookie names (never values) so the clear can be verified on a live run.

Test plan

• cargo build (non-cached recompile), cargo clippy — no warnings
• cargo test --lib gamepass — 22 passed
• Manual: GamePass login → logout → GamePass login again → account data is correct without restarting the app
• Manual: check step=GamepassPageLoad.WebViewCookies logs — the second login's entry page should show only freshly-seeded session cookies, no stale bfWebToken

Note: the native WebView2 cookie behaviour can't be exercised by automated unit tests (no WebView2 runtime in CI; cookie_native.rs has none by design), so the live verification above is required before merge.