Visible User State
Your sign-in worked. We are waiting for your session to catch up.
Fixed timers are unsafe on slow mobile networks; state events must drive redirects.
Phase 7B Session Contract Harness
Slow Session Hydration
A slow cookie probe keeps the user on a clear waiting state instead of bouncing.
Waiting/session-contract/callback-simulation?code=slow-network
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Server exchange
The backend owns token exchange and HttpOnly cookie creation.
Session event
The browser waits for the session-established signal before probing cookies.
Hold navigation
A manual continue action appears only after the hydration window stalls.
Scenario Assertions
- No premature redirect
- PassDo not navigate to a protected destination while user is null.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched