Visible User State
Session restored. Returning to the saved destination.
A Start port must preserve redirect intent without reintroducing open redirects.
Phase 7B Session Contract Harness
Protected Destination
Deep links preserve the intended destination without exposing open redirects.
Pass/session-contract/callback-simulation?server_session=1&next=/dashboard
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Server exchange
The backend owns token exchange and HttpOnly cookie creation.
Session event
The browser waits for the session-established signal before probing cookies.
Redirect after hydration
Navigation waits until the user object exists so protected destinations do not bounce.
Scenario Assertions
- Same-origin path
- PassOnly local paths are accepted as redirect targets.
- Hydration gate
- PassDestination is reached only after session state exists.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched