Visible User State
We could not read saved redirect state, so we use onboarding or home safely.
Private mode and restricted storage must not turn into a blank callback screen.
Phase 7B Session Contract Harness
Restricted Storage
Storage failures fall back to safe defaults instead of breaking the page.
Pass/session-contract/callback-simulation?code=storage-restricted
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Server exchange
The backend owns token exchange and HttpOnly cookie creation.
Storage fallback
Unavailable storage is caught and does not block session completion.
Redirect after hydration
Navigation waits until the user object exists so protected destinations do not bounce.
Scenario Assertions
- Fallback route
- PassComplete users go home; incomplete users go to onboarding.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched