Visible User State
Your sign-in link expired. Please try signing in again.
Auto-redirecting too quickly hides the real failure and increases support reports.
Phase 7B Session Contract Harness
Expired Code
Expired one-time links get fresh-sign-in copy and no hidden retry.
Retry/session-contract/callback-simulation?error_code=CODE_EXPIRED
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Expire cleanly
The page does not auto-submit or redirect before the user can read the message.
Scenario Assertions
- Recovery
- PassUser controls retry from the visible error state.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched