Visible User State
This sign-in link was already used. Please sign in again from scratch.
Retrying a consumed code makes the error look permanent even when a new sign-in would work.
Phase 7B Session Contract Harness
Code Already Used
A replayed callback link is treated as dead and asks for a fresh sign-in.
Retry/session-contract/callback-simulation?error_code=CODE_ALREADY_USED
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Stop replay
The same code is not exchanged again because it is already consumed.
Scenario Assertions
- Replay protection
- PassManual retry only; no transparent second exchange.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched