Visible User State
Your browser blocked the sign-in cookies. Open IbomMarket directly in Chrome or Safari.
This is the smaller Android and in-app-browser failure mode that must stay explicit.
Phase 7B Session Contract Harness
Browser Blocked Cookie
Verifier loss shows targeted recovery copy instead of a generic failure.
Blocked/session-contract/callback-simulation?error_code=VERIFIER_MISSING
Production Routes Still Owned By SPA
- /login
- /register
- /forgot-password
- /reset-password
- /auth/callback
Read one-time payload
The callback payload is captured before the URL is cleaned.
Clean browser URL
One-time params are removed before exchange work can be refreshed or replayed.
Show recovery
The user gets manual retry actions and direct-browser guidance.
Scenario Assertions
- No auto-loop
- PassDo not keep retrying a missing verifier.
- Copy
- BlockedExplain blocked cookies and direct-browser recovery.
Cutover Rules
- Do not exchange provider codes in the browser.
- Do not replay callback URLs after one-time params are consumed.
- Do not navigate to protected destinations until user state exists.
- Do not run worker eviction on one-time callback URLs.
- Do not move real auth routes until the browser matrix passes.
Provider Shell
Query: ready
Shell: isolated
Production router: untouched