Summary
When the startup auth/profile request /api/me times out or returns a Cloudflare/server timeout, LinkSim currently renders a full-page signed-out/access-unavailable state. That can look like the user was thrown out of the app even when their Cloudflare Access session is valid.
Desired behavior
- Keep the user in the workspace for auth/API timeout, signed-out, forbidden, pending, and revoked states.
- Show a persistent, impossible-to-miss in-app warning that cloud save may not work and changes may not be saved.
- Reuse the existing AppShell notification stack/UI-gallery pattern; do not introduce a new banner system.
- Keep current edit/save permissions by default; this issue improves warning and continuity, not local draft persistence.
- Make /api/me fail fast with clear JSON errors instead of hanging until Cloudflare returns 524.
Acceptance criteria
- Startup /api/me timeout or 524 keeps the normal workspace visible.
- Auth degraded states show a pinned accessible warning.
- Full-page access lockout is removed for these auth states.
- Backend auth verification is bounded so /api/me does not hang indefinitely.
- Tests cover frontend degraded auth handling and backend auth timeout/header paths.
Summary
When the startup auth/profile request /api/me times out or returns a Cloudflare/server timeout, LinkSim currently renders a full-page signed-out/access-unavailable state. That can look like the user was thrown out of the app even when their Cloudflare Access session is valid.
Desired behavior
Acceptance criteria