@oxyhq/core 3.1.0 → 3.4.0

package/dist/cjs/mixins/OxyServices.reputation.js

@@ -0,0 +1,244 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesReputationMixin = OxyServicesReputationMixin;
+const mixinHelpers_1 = require("./mixinHelpers");
+/** Cache-key prefix for every cached `GET /reputation/...` response. */
+const REPUTATION_CACHE_PREFIX = 'GET:/reputation/';
+function OxyServicesReputationMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * Get a user's cached reputation balance — derived totals, per-category
+         * breakdown, trust tier, capped influence weights, and reliability signals.
+         * @param userId - The subject user's `_id` or publicKey.
+         */
+        async getReputationBalance(userId) {
+            try {
+                return await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/balance`, undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.MEDIUM });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get the reputation leaderboard, ordered by lifetime total descending.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationLeaderboard(limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', '/reputation/leaderboard', Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.LONG });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List the enabled reputation rules (for client display).
+         */
+        async getReputationRules() {
+            try {
+                const res = await this.makeRequest('GET', '/reputation/rules', undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.EXTRA_LONG });
+                return res.rules ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get a user's paginated reputation ledger, newest first (auth required).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationTransactions(userId, limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/transactions`, Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get a user's capped influence weight for a given context (auth required).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param context - The weight axis to read (defaults server-side to `default`).
+         */
+        async getReputationInfluence(userId, context) {
+            try {
+                return await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/influence`, context ? { context } : undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.MEDIUM });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Award (or penalise) reputation to a user by `actionType`. Restricted to
+         * service tokens and platform staff. Invalidates cached reputation reads.
+         * @param input - The award payload (subject, action, source, target, etc.).
+         */
+        async awardReputation(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/award', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.transaction;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Open a dispute against a transaction (auth required; the disputer is the
+         * authenticated user and must own the transaction).
+         * @param input - The transaction id, reason, and optional evidence.
+         */
+        async createReputationDispute(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/disputes', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.dispute;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List a user's own reputation disputes (auth required; the caller must be
+         * the subject or platform staff).
+         * @param userId - The subject user's `_id` or publicKey.
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getUserReputationDisputes(userId, limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', `/reputation/${encodeURIComponent(userId)}/disputes`, Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        // =========================================================================
+        // STAFF / ADMIN METHODS (require staff privileges server-side)
+        // =========================================================================
+        /**
+         * Create or update a reputation rule, keyed by `actionType` (staff only).
+         * Invalidates the cached rule list.
+         * @param input - The rule definition.
+         */
+        async upsertReputationRule(input) {
+            try {
+                const res = await this.makeRequest('POST', '/reputation/rules', input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.rule;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Reverse a transaction (staff only): mark the original `reversed` and append
+         * a compensating `active` reversal with negated points. Invalidates cached
+         * reputation reads.
+         * @param transactionId - The transaction's id.
+         * @param input - Optional reason for the reversal.
+         */
+        async reverseReputationTransaction(transactionId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/transactions/${encodeURIComponent(transactionId)}/reverse`, input ?? {}, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Void a transaction (staff only): mark it `voided` so it is excluded from
+         * the balance, with NO compensating entry. Invalidates cached reputation
+         * reads.
+         * @param transactionId - The transaction's id.
+         * @param input - Optional reason for the void.
+         */
+        async voidReputationTransaction(transactionId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/transactions/${encodeURIComponent(transactionId)}/void`, input ?? {}, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.transaction;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Force a recompute of a user's balance snapshot from their active ledger
+         * (staff only). Invalidates cached reputation reads.
+         * @param userId - The subject user's `_id` or publicKey.
+         */
+        async recalculateReputation(userId) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/${encodeURIComponent(userId)}/recalculate`, undefined, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Get the open dispute queue across all users (staff only).
+         * @param limit - Page size (server-capped).
+         * @param offset - Page offset.
+         */
+        async getReputationDisputeQueue(limit, offset) {
+            try {
+                const params = {};
+                if (limit !== undefined)
+                    params.limit = limit;
+                if (offset !== undefined)
+                    params.offset = offset;
+                const res = await this.makeRequest('GET', '/reputation/disputes', Object.keys(params).length > 0 ? params : undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.SHORT });
+                return res.data ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Resolve a dispute (staff only). Accepting reverses the disputed
+         * transaction; rejecting restores it to `active`. Invalidates cached
+         * reputation reads.
+         * @param disputeId - The dispute's id.
+         * @param input - The resolution (`accepted` or `rejected`).
+         */
+        async resolveReputationDispute(disputeId, input) {
+            try {
+                const res = await this.makeRequest('POST', `/reputation/disputes/${encodeURIComponent(disputeId)}/resolve`, input, { cache: false });
+                this.clearCacheByPrefix(REPUTATION_CACHE_PREFIX);
+                return res.dispute;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/cjs/mixins/OxyServices.workspaces.js

@@ -0,0 +1,146 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OxyServicesWorkspacesMixin = OxyServicesWorkspacesMixin;
+const mixinHelpers_1 = require("./mixinHelpers");
+function OxyServicesWorkspacesMixin(Base) {
+    return class extends Base {
+        constructor(...args) {
+            super(...args);
+        }
+        /**
+         * List workspaces the current user is an active member of.
+         */
+        async getWorkspaces() {
+            try {
+                const res = await this.makeRequest('GET', '/workspaces', undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.MEDIUM });
+                return res.workspaces ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Create a new team workspace. The caller becomes its `owner`.
+         * @param data - Workspace configuration.
+         */
+        async createWorkspace(data) {
+            try {
+                const res = await this.makeRequest('POST', '/workspaces', data, { cache: false });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Fetch a single workspace by id.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async getWorkspace(workspaceId) {
+            try {
+                const res = await this.makeRequest('GET', `/workspaces/${encodeURIComponent(workspaceId)}`, undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.LONG });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Update a workspace's mutable fields.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Subset of updatable fields.
+         */
+        async updateWorkspace(workspaceId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/workspaces/${encodeURIComponent(workspaceId)}`, data, { cache: false });
+                return res.workspace;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Soft-delete a workspace (owner only).
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async deleteWorkspace(workspaceId) {
+            try {
+                return await this.makeRequest('DELETE', `/workspaces/${encodeURIComponent(workspaceId)}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * List members of a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         */
+        async getWorkspaceMembers(workspaceId) {
+            try {
+                const res = await this.makeRequest('GET', `/workspaces/${encodeURIComponent(workspaceId)}/members`, undefined, { cache: true, cacheTTL: mixinHelpers_1.CACHE_TIMES.MEDIUM });
+                return res.members ?? [];
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Add a member to a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user's username or email and role (never `owner`).
+         *   The server resolves `usernameOrEmail` to a user; an unknown value yields
+         *   a 404 "User not found".
+         */
+        async inviteWorkspaceMember(workspaceId, data) {
+            try {
+                const res = await this.makeRequest('POST', `/workspaces/${encodeURIComponent(workspaceId)}/members`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Change a member's role.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         * @param data - New role (never `owner`).
+         */
+        async updateWorkspaceMember(workspaceId, memberId, data) {
+            try {
+                const res = await this.makeRequest('PATCH', `/workspaces/${encodeURIComponent(workspaceId)}/members/${encodeURIComponent(memberId)}`, data, { cache: false });
+                return res.member;
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Remove a member from a workspace.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param memberId - The member's Mongo `_id`.
+         */
+        async removeWorkspaceMember(workspaceId, memberId) {
+            try {
+                return await this.makeRequest('DELETE', `/workspaces/${encodeURIComponent(workspaceId)}/members/${encodeURIComponent(memberId)}`, undefined, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+        /**
+         * Transfer ownership of a workspace to another member (owner only).
+         * Demotes the current owner and promotes the target to `owner`.
+         * @param workspaceId - The workspace's Mongo `_id`.
+         * @param data - Target user id.
+         */
+        async transferWorkspaceOwnership(workspaceId, data) {
+            try {
+                return await this.makeRequest('POST', `/workspaces/${encodeURIComponent(workspaceId)}/transfer-ownership`, data, { cache: false });
+            }
+            catch (error) {
+                throw this.handleError(error);
+            }
+        }
+    };
+}

package/dist/cjs/mixins/index.js

@@ -18,9 +18,10 @@ const OxyServices_user_1 = require("./OxyServices.user");
 const OxyServices_privacy_1 = require("./OxyServices.privacy");
 const OxyServices_language_1 = require("./OxyServices.language");
 const OxyServices_payment_1 = require("./OxyServices.payment");
-const OxyServices_karma_1 = require("./OxyServices.karma");
+const OxyServices_reputation_1 = require("./OxyServices.reputation");
 const OxyServices_assets_1 = require("./OxyServices.assets");
 const OxyServices_applications_1 = require("./OxyServices.applications");
+const OxyServices_workspaces_1 = require("./OxyServices.workspaces");
 const OxyServices_location_1 = require("./OxyServices.location");
 const OxyServices_analytics_1 = require("./OxyServices.analytics");
 const OxyServices_devices_1 = require("./OxyServices.devices");
@@ -62,9 +63,10 @@ const MIXIN_PIPELINE = [
     // Feature mixins
     OxyServices_language_1.OxyServicesLanguageMixin,
     OxyServices_payment_1.OxyServicesPaymentMixin,
-    OxyServices_karma_1.OxyServicesKarmaMixin,
+    OxyServices_reputation_1.OxyServicesReputationMixin,
     OxyServices_assets_1.OxyServicesAssetsMixin,
     OxyServices_applications_1.OxyServicesApplicationsMixin,
+    OxyServices_workspaces_1.OxyServicesWorkspacesMixin,
     OxyServices_location_1.OxyServicesLocationMixin,
     OxyServices_analytics_1.OxyServicesAnalyticsMixin,
     OxyServices_devices_1.OxyServicesDevicesMixin,

package/dist/cjs/utils/accountUtils.js

@@ -21,11 +21,16 @@ exports.formatPublicKeyHandle = formatPublicKeyHandle;
  * Resolve a friendly display name for a user.
  *
  * Order of preference:
- *  1. `name.full`, or composed `name.first name.last`
+ *  1. `name.full`, or composed `name.first name.last` (FIRST-NAME-ONLY SAFE —
+ *     a user with only a first name resolves to that first name, never to the
+ *     lowercase username; this is the exact drift bug the auth app hit).
  *  2. `name` (when stored as a plain string)
- *  3. `username`
- *  4. `Account 0x12345678…` (derived from publicKey, when present)
- *  5. Translated fallback (e.g. "Unnamed")
+ *  3. `displayName` (server `displayName` virtual — `username || truncatedKey`).
+ *     Placed AFTER the structured name on purpose: the server virtual ignores
+ *     `name`, so preferring it first would re-introduce the first-only bug.
+ *  4. `username`
+ *  5. `Account 0x12345678…` (derived from publicKey, when present)
+ *  6. Translated fallback (e.g. "Unnamed")
  *
  * The translation key `common.unnamed` is used for the final fallback. If the
  * caller does not pass a locale, the default English translation is used.
@@ -33,7 +38,7 @@ exports.formatPublicKeyHandle = formatPublicKeyHandle;
 const getAccountDisplayName = (user, locale) => {
     if (!user)
         return (0, i18n_1.translate)(locale, 'common.unnamed');
-    const { name, username, publicKey } = user;
+    const { name, displayName, username, publicKey } = user;
     if (name && typeof name === 'object') {
         if (typeof name.full === 'string' && name.full.trim())
             return name.full.trim();
@@ -46,6 +51,8 @@ const getAccountDisplayName = (user, locale) => {
     else if (typeof name === 'string' && name.trim()) {
         return name.trim();
     }
+    if (typeof displayName === 'string' && displayName.trim())
+        return displayName.trim();
     if (typeof username === 'string' && username.trim())
         return username.trim();
     if (typeof publicKey === 'string' && publicKey.length > 0) {

package/dist/cjs/utils/ssoReturn.js

@@ -96,14 +96,22 @@ function parseSsoReturnFragment(hash) {
  *     treated exactly like "no session" (never loops, never rethrows).
  *   - On EVERY consumed outcome (ok, none, error, state-mismatch, no-code,
  *     failed-exchange, no-sessionId) — not just ok — if the page landed on
- *     {@link SSO_CALLBACK_PATH}, the real pre-bounce destination is restored
- *     from the DEST key so the user is never stranded on the internal callback
- *     path. Same-origin only (an attacker-planted cross-origin or relative-evil
- *     dest is rejected). The DEST key is removed unconditionally.
- *   - After a same-origin dest restore (which uses `history.replaceState`, that
- *     does NOT itself emit `popstate`), a synthetic `popstate` is dispatched so
- *     URL-driven routers (Expo Router / React Navigation web) re-sync to the
- *     restored route. It is NOT dispatched when the dest is rejected/absent.
+ *     {@link SSO_CALLBACK_PATH}, the user is taken to a same-origin TARGET so
+ *     they are never stranded on the internal callback path (which is an
+ *     unregistered route in every consumer router → a hard 404). The target is
+ *     the stored DEST when it parses as same-origin (an attacker-planted
+ *     cross-origin / protocol-relative dest is rejected), ELSE the app root
+ *     (`origin + '/'`). The DEST key is removed unconditionally.
+ *   - For the `ok` outcome the target is applied via a SOFT
+ *     `history.replaceState` + synthetic `popstate` so the freshly exchanged
+ *     in-memory session the provider is about to commit is preserved (no
+ *     reload). `popstate` is dispatched only on the `ok` same-origin restore.
+ *   - For every NON-`ok` outcome there is no in-memory session to preserve, and
+ *     the consumer router has ALREADY synchronously rendered its 404 for the
+ *     unregistered callback route — a soft replaceState+popstate does not
+ *     reliably make it re-resolve. So these outcomes perform a HARD
+ *     full-document navigation to the target (`hardRedirect`), which is both
+ *     safe (nothing to lose) and guaranteed to clear the 404 in every router.
  *
  * Total: this function NEVER throws. Off-web it is a no-op returning `null`.
  *
@@ -137,6 +145,17 @@ async function consumeSsoReturn(oxy, deps = {}) {
                 window.dispatchEvent(new Event('popstate'));
             }
         });
+    // Default: a hard, full-document navigation used to leave the callback path
+    // on non-`ok` outcomes. Feature-detected end to end so it never throws in any
+    // environment (SSR / native / a stubbed location without `replace`).
+    const hardRedirect = deps.hardRedirect ??
+        ((url) => {
+            if (typeof window !== 'undefined' &&
+                window.location &&
+                typeof window.location.replace === 'function') {
+                window.location.replace(url);
+            }
+        });
     const ret = parseSsoReturnFragment(location.hash);
     if (!ret) {
         // Not an oxy_sso fragment — nothing to do (do NOT touch any flags).
@@ -159,42 +178,62 @@ async function consumeSsoReturn(oxy, deps = {}) {
         // even if some consumer path skipped setting it pre-bounce.
         storage.setItem((0, ssoBounce_1.ssoAttemptedKey)(origin), '1');
     };
-    // Restore the user's real pre-bounce destination so they are never stranded
-    // on the internal callback path — invoked on EVERY consumed outcome, not just
-    // success. Same-origin only — never honour a cross-origin/protocol-relative
-    // dest that could have been planted to redirect the user. The DEST key is
-    // removed unconditionally. After a successful same-origin restore a synthetic
-    // `popstate` is dispatched so URL-driven routers re-sync.
-    const restoreDest = () => {
-        if (location.pathname === ssoBounce_1.SSO_CALLBACK_PATH) {
-            const dest = storage.getItem((0, ssoBounce_1.ssoDestKey)(origin));
-            if (dest) {
-                try {
-                    const destUrl = new URL(dest, origin);
-                    if (destUrl.origin === origin) {
-                        history.replaceState(null, '', destUrl.pathname + destUrl.search + destUrl.hash);
-                        dispatchPopState();
-                    }
-                }
-                catch {
-                    // Malformed stored destination — leave the URL on the callback path.
+    // Compute the same-origin TARGET to leave the callback path for. Returns the
+    // stored DEST when present AND it parses as same-origin (never honour a
+    // cross-origin / protocol-relative dest that could have been planted to
+    // redirect the user), ELSE the app root (`origin + '/'`) so the user is never
+    // stranded on the internal callback path even when no dest was stored. The
+    // DEST key is removed unconditionally. Returns the relative path+search+hash
+    // (so it can be fed to either `history.replaceState` or a `hardRedirect`),
+    // or `null` when the page is not on the callback path (nothing to leave).
+    const consumeCallbackTarget = () => {
+        if (location.pathname !== ssoBounce_1.SSO_CALLBACK_PATH) {
+            // Not on the callback path — still drop the dest key (consumed) but there
+            // is nothing to navigate away from.
+            storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
+            return null;
+        }
+        const dest = storage.getItem((0, ssoBounce_1.ssoDestKey)(origin));
+        storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
+        if (dest) {
+            try {
+                const destUrl = new URL(dest, origin);
+                if (destUrl.origin === origin) {
+                    return destUrl.pathname + destUrl.search + destUrl.hash;
                 }
             }
+            catch {
+                // Malformed stored destination — fall through to the app-root fallback.
+            }
+        }
+        // No dest, a cross-origin/protocol-relative dest, or an unparseable dest:
+        // fall back to the app root so the router always leaves the 404.
+        return '/';
+    };
+    // Non-`ok` outcomes: there is no in-memory session to preserve, and the
+    // consumer router has already rendered its 404 for the unregistered callback
+    // route — a soft replaceState+popstate does not reliably make it re-resolve.
+    // Perform a HARD full-document navigation to the target (safe: nothing to
+    // lose; guaranteed: every router leaves the 404). Off the callback path this
+    // is a no-op (target is null).
+    const leaveCallbackHard = () => {
+        const target = consumeCallbackTarget();
+        if (target !== null) {
+            hardRedirect(origin + target);
         }
-        storage.removeItem((0, ssoBounce_1.ssoDestKey)(origin));
     };
     if (ret.kind === 'none' || ret.kind === 'error') {
         // The central IdP had no session (or the bounce failed). Record it so we do
         // not bounce again this tab — the definitive loop breaker.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!stateOk || !ret.code) {
         // Forged / replayed / stale fragment, or a malformed ok with no code. Treat
         // exactly like "no session": never exchange, never loop.
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     let session;
@@ -204,14 +243,22 @@ async function consumeSsoReturn(oxy, deps = {}) {
     catch (error) {
         onExchangeError?.(error);
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
     if (!session?.sessionId) {
         markNoSession();
-        restoreDest();
+        leaveCallbackHard();
         return null;
     }
-    restoreDest();
+    // `ok`: the provider is about to commit the freshly exchanged in-memory
+    // session — do NOT hard-redirect (a full navigation would discard it). Use a
+    // SOFT `history.replaceState` to the target + a synthetic `popstate` so
+    // URL-driven routers re-sync to the restored route without a reload.
+    const target = consumeCallbackTarget();
+    if (target !== null) {
+        history.replaceState(null, '', target);
+        dispatchPopState();
+    }
     return session;
 }