Visible User State
Welcome. Your session is ready.
Any Start port must keep the exchange non-idempotent and event-driven.
Phase 7B Session Contract Harness
Successful Google Return
A normal provider return exchanges once, hydrates the session, and redirects once.
Pass/session-contract/callback-simulation?code=one-time-code
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Server exchange
The backend owns token exchange and HttpOnly cookie creation.
Session event
The browser waits for the session-established signal before probing cookies.
Redirect after hydration
Navigation waits until the user object exists so protected destinations do not bounce.
Scenario Assertions
- One-time code
- PassRead before URL cleanup and exchanged once.
- Cookie handoff
- PassBackend sets cookies before session probe resumes.
- Redirect
- PassWait for hydrated user before leaving the callback screen.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched