Skip duplicate handoff exchange under React Strict Mode (#10)

* Skip duplicate handoff exchange under React Strict Mode

The bootstrap effect in useManagedAuthSession calls exchangeHandoffCode
on mount with no "already started" guard. Under React 18+ Strict Mode,
effects run mount → cleanup → mount in dev: the first mount consumes
the handoff code server-side, and the second mount re-fires the
exchange with an already-consumed code. The component lands in the
error state and fires onError("Failed to start session"), even though
auth would have worked fine.

The existing ``cancelled`` flag only stops React state updates; it
can't unsend the HTTP request that consumed the code on the first
mount. Add a useRef guard keyed on (sessionId, handoffCode) — same
pattern as the existing callbackFiredRef — so the second mount
short-circuits while a genuine prop change still re-runs the effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Adopt in-flight exchange via ref identity instead of cancelled flag

Cursor flagged the original guard: under Strict Mode's
mount → cleanup → mount cycle, the cleanup flipped the closure-local
``cancelled`` to true while the second mount short-circuited at the
new ref guard. The first mount's in-flight exchange would then
resolve, read ``cancelled === true``, and skip its own ``setJwt``
call — leaving the component silently stuck with jwt === null after
the server had already consumed the handoff code. That's strictly
worse than the original bug (visible error → invisible dead state).

Replace the closure-local flag with a ref-identity check. Each
distinct (sessionId, handoffCode) gets a fresh ``{ key }`` object on
``exchangeRef``; the in-flight async reads the ref and bails iff the
ref has been *replaced* (genuine prop change). A Strict Mode re-mount
sees the same key and returns early without touching the ref — so
when the first mount's async resolves, ``exchangeRef.current === ref``
still holds and the JWT is committed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Track active flag on exchangeRef + always return cleanup

Cursor flagged two correct bugs in 90c173b:

1. The short-circuit ``return;`` on the Strict Mode second mount
   returned undefined, replacing the first mount's cleanup — so when
   the component actually unmounted later, ``stopPolling`` never ran
   and any started interval/timeout leaked.

2. Without the closure-local ``cancelled`` flag, a real unmount no
   longer signaled the in-flight async to stop. The ref-identity
   check only caught a *prop change*, not unmount, so the async kept
   firing ``setState``/``startPolling`` against a dead component.

Both fix together by adding ``active: boolean`` to the ref object.
Cleanup flips it false; the matching-key remount flips it back true.
The async checks both ``exchangeRef.current !== ref`` (stale identity)
and ``!ref.active`` (real unmount) before each ``setState``. And the
short-circuit path now returns the same cleanup function so React
preserves it across the synthetic unmount/remount.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Tighten Strict Mode comments per review

- Drop the parenthetical pointing at the review tool — process refs
  don't belong in published source.
- Collapse the exchangeRef declaration block to one short sentence
  naming the fields; defer the invariants to the effect comment so
  the strict-mode rationale lives in exactly one place.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Tom-Achache

.changeset/fix-strict-mode-double-exchange.md

@@ -0,0 +1,5 @@
+---
+"@onkernel/managed-auth-react": patch
+---
+
+Guard the bootstrap effect in `useManagedAuthSession` against React 18+ Strict Mode's mount → cleanup → mount double-invocation. Without the guard, the second mount re-fires `exchangeHandoffCode` with a now-consumed handoff code and the component lands in the error state ("Failed to start session") even when auth would have worked. Tracked per `(sessionId, handoffCode)` so a genuine prop change still triggers a fresh exchange.

packages/managed-auth-react/src/session/useManagedAuthSession.ts

@@ -86,6 +86,11 @@ export function useManagedAuthSession(
     success: false,
     error: false,
   });
+  // Tracks the in-flight bootstrap exchange. ``key`` identifies which
+  // (sessionId, handoffCode) pair it belongs to; ``active`` is false
+  // between cleanup and the matching-key remount. See the effect below
+  // for the invariants these fields enforce.
+  const exchangeRef = useRef<{ key: string; active: boolean } | null>(null);
 
   const stopPolling = useCallback(() => {
     if (pollDelayRef.current) {
@@ -167,18 +172,52 @@ export function useManagedAuthSession(
   );
 
   useEffect(() => {
-    let cancelled = false;
+    // Strict-Mode-safe one-shot init. Under React 18+ Strict Mode in dev,
+    // effects run mount → cleanup → mount; the handoff code is one-shot
+    // server-side, so a naive remount refires the exchange against an
+    // already-consumed code. Three invariants make this safe:
+    //
+    //   1. Guard the exchange by ref identity, not a closure-local
+    //      ``cancelled`` flag — a closure flag set by the synthetic
+    //      cleanup would orphan the first mount's in-flight result.
+    //   2. Track an ``active`` flag on the ref so the async can
+    //      distinguish a real unmount (active stays false) from a
+    //      Strict Mode unmount/remount (active flips false → true
+    //      synchronously before the async resolves).
+    //   3. Always return the cleanup, even on the short-circuit path —
+    //      React only keeps the most recent effect's cleanup, so a bare
+    //      ``return`` from the second mount would orphan ``stopPolling``
+    //      and leak the interval at real unmount.
+    const exchangeKey = `${sessionId}::${handoffCode}`;
+    const cleanup = () => {
+      if (exchangeRef.current?.key === exchangeKey) {
+        exchangeRef.current.active = false;
+      }
+      stopPolling();
+    };
+
+    if (exchangeRef.current?.key === exchangeKey) {
+      // Strict Mode remount of the same exchange: cleanup just flipped
+      // active=false; flip it back so the in-flight async can commit.
+      // Return the cleanup so a later *real* unmount still stops polling.
+      exchangeRef.current.active = true;
+      return cleanup;
+    }
+
+    const ref = { key: exchangeKey, active: true };
+    exchangeRef.current = ref;
+
     (async () => {
       try {
         const token = await exchangeHandoffCode(
           sessionId,
           handoffCode,
           options,
         );
-        if (cancelled) return;
+        if (exchangeRef.current !== ref || !ref.active) return;
         setJwt(token);
         const initial = await retrieveManagedAuth(sessionId, token, options);
-        if (cancelled) return;
+        if (exchangeRef.current !== ref || !ref.active) return;
         setState(initial);
         const derived = deriveUIState(initial);
         if (
@@ -213,7 +252,7 @@ export function useManagedAuthSession(
           setUIState("prime");
         }
       } catch (err) {
-        if (cancelled) return;
+        if (exchangeRef.current !== ref || !ref.active) return;
         const message =
           err instanceof Error ? err.message : "Failed to start session";
         setInitError(message);
@@ -224,10 +263,7 @@ export function useManagedAuthSession(
         }
       }
     })();
-    return () => {
-      cancelled = true;
-      stopPolling();
-    };
+    return cleanup;
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [sessionId, handoffCode]);