Log every cold-start and recovery branch in the auth flow

Cold-start, the already-authenticated guard path, and the 401-refresh
failure path were all silent. On iOS PWA every foreground is a cold
start (the page gets terminated when backgrounded), so the silent
branches meant no [auth] line ever reached Faro between page open and
the next pagehide flush. Add:

- Boot trace in main.ts the moment Faro is initialized, capturing
  standalone vs browser, returned-from-authority, and visibilityState
- Cold-start snapshot in TokenRenewalService.init() showing whether
  the refresh/access token survived storage eviction
- Positive log in authGuard when the session is already valid
- Result details (isAuthenticated, hasAccessToken) on both the
  foreground refresh and the 401-retry refresh completion logs
- Failure log when the 401-retry refresh itself fails

Author: claude

client/src/app/utils/auth-retry.interceptor.ts

@@ -34,12 +34,28 @@ export const authRetryInterceptor: HttpInterceptorFn = (req, next) => {
       );
 
       return oidcSecurityService.forceRefreshSession().pipe(
-        tap(() =>
+        tap((result) =>
           console.info(
             '[auth] Token refreshed after 401 - retrying original request',
-            JSON.stringify({ url: req.url })
+            JSON.stringify({
+              url: req.url,
+              isAuthenticated: result?.isAuthenticated ?? false,
+            })
           )
         ),
+        catchError((refreshError: unknown) => {
+          console.warn(
+            '[auth] Token refresh after 401 failed - propagating original error',
+            JSON.stringify({
+              url: req.url,
+              error:
+                refreshError instanceof Error
+                  ? refreshError.message
+                  : String(refreshError),
+            })
+          );
+          return throwError(() => error);
+        }),
         switchMap(() => next(req))
       );
     })

client/src/app/utils/auth.guard.ts

@@ -17,6 +17,9 @@ export const authGuard: CanActivateFn = () => {
     take(1),
     switchMap((isAuthenticated) => {
       if (isAuthenticated) {
+        console.info(
+          '[auth] Auth guard passed - already authenticated, no renewal needed'
+        );
         return of(true);
       }
 
@@ -32,7 +35,8 @@ export const authGuard: CanActivateFn = () => {
           }
 
           console.info(
-            '[auth] Not authenticated but refresh token present - attempting silent renewal before full re-authentication'
+            '[auth] Not authenticated but refresh token present - attempting silent renewal before full re-authentication',
+            JSON.stringify({ refreshTokenLength: refreshToken.length })
           );
           return oidc.forceRefreshSession().pipe(
             switchMap((result) => {

client/src/app/utils/token-renewal.service.ts

@@ -22,6 +22,8 @@ export class TokenRenewalService {
   private readonly destroyRef = inject(DestroyRef);
 
   init(): void {
+    this.logColdStartSnapshot();
+
     const visible$ = fromEvent(document, 'visibilitychange');
     const focus$ = fromEvent(window, 'focus');
     const online$ = fromEvent(window, 'online');
@@ -34,6 +36,49 @@ export class TokenRenewalService {
       .subscribe(() => this.renewIfForeground());
   }
 
+  /**
+   * Single boot-time entry that always lands in Faro, even when nothing else
+   * fires. On iOS PWA the page is frequently terminated when backgrounded, so
+   * every "return to foreground" is actually a cold start with no
+   * visibilitychange/focus event to hook into. This snapshot is the only signal
+   * that explains which state the new page instance started in: did the OIDC
+   * storage survive, did the user come back from the authority redirect, etc.
+   */
+  private logColdStartSnapshot(): void {
+    const url = new URL(window.location.href);
+    const returnedFromAuthority =
+      url.searchParams.has('code') || url.searchParams.has('error');
+
+    forkJoin({
+      isAuthenticated: this.oidcSecurityService.isAuthenticated(),
+      refreshToken: this.oidcSecurityService.getRefreshToken(),
+      accessToken: this.oidcSecurityService.getAccessToken(),
+    })
+      .pipe(takeUntilDestroyed(this.destroyRef))
+      .subscribe(({ isAuthenticated, refreshToken, accessToken }) => {
+        const hasRefreshToken = !!refreshToken;
+        const hasAccessToken = !!accessToken;
+
+        console.info(
+          `[auth] Cold start - ${
+            hasRefreshToken ? 'refresh token present in storage' : 'no refresh token in storage'
+          }`,
+          JSON.stringify({
+            isAuthenticated,
+            hasRefreshToken,
+            hasAccessToken,
+            refreshTokenLength: refreshToken?.length ?? 0,
+            returnedFromAuthority,
+            displayMode:
+              window.matchMedia?.('(display-mode: standalone)').matches
+                ? 'standalone'
+                : 'browser',
+            storage: snapshotStorageKeys(),
+          })
+        );
+      });
+  }
+
   private renewIfForeground(): void {
     if (document.visibilityState !== 'visible') {
       return;
@@ -77,8 +122,14 @@ export class TokenRenewalService {
         this.oidcSecurityService
           .forceRefreshSession()
           .pipe(
-            tap(() =>
-              console.info('[auth] Proactive foreground token refresh completed')
+            tap((result) =>
+              console.info(
+                '[auth] Proactive foreground token refresh completed',
+                JSON.stringify({
+                  isAuthenticated: result?.isAuthenticated ?? false,
+                  hasAccessToken: !!result?.accessToken,
+                })
+              )
             ),
             catchError((error: unknown) => {
               console.error(

client/src/main.ts

@@ -6,8 +6,21 @@ import { initFaro } from './app/utils/faro';
 
 loadEnvironmentConfig().then(environment => {
   initFaro(environment.clientLogUrl, environment.clientAppName);
+  const url = new URL(window.location.href);
+  console.info(
+    '[auth] Boot - Faro initialized, starting Angular bootstrap',
+    JSON.stringify({
+      returnedFromAuthority:
+        url.searchParams.has('code') || url.searchParams.has('error'),
+      displayMode:
+        window.matchMedia?.('(display-mode: standalone)').matches
+          ? 'standalone'
+          : 'browser',
+      visibilityState: document.visibilityState,
+    })
+  );
   bootstrapApplication(AppComponent, getAppConfig(environment))
-    .catch((err) => console.error(err));
+    .catch((err) => console.error('[auth] Angular bootstrap failed', err));
 });
 
 async function loadEnvironmentConfig(): Promise<EnvironmentConfig> {