What changed

• replace proxy-incompatible auth cookies with HMAC-signed session tokens stored in tab-scoped sessionStorage
• bind OAuth state to a browser-generated nonce and safe return path
• return a no-store callback bridge so browser navigation—not the here.now proxy—finishes OAuth
• send session tokens only in same-origin JSON bodies for session lookup and vote writes
• tolerate proxy-stripped Origin headers while still rejecting explicit untrusted origins
• keep the voting launch flag off throughout the repair

Root cause

Production tracing during the staged deployment showed that the here.now proxy follows upstream redirects and strips Cookie, Origin, and Referer headers. The original cookie/302 OAuth design therefore could not complete through the canonical domain.

Validation

• 46 Worker tests pass
• node scripts/check.mjs
• syntax and JSON validation
• Worker deploy dry-run
• production proxy tracing with voting hidden
• autoreview clean after fixing session-restore and browser-back resilience findings

Deployment

Deploy the Worker first with VOTING_UI_ENABLED=false, republish the complete site artifact for the new cache key, complete the canonical GitHub login/session/vote/reload/logout smoke test, then redeploy only the Worker with the flag explicitly enabled.