Because:
- A passkey or passwordless+passkey session is session-AAL2, so AAL2 RPs (e.g. AMO) are satisfied at the OAuth grant. Those RPs require account-level 2FA (TOTP), which a passkey does not provide, so with no TOTP the grant keeps succeeding while the RP keeps rejecting, looping the user on the cached-signin screen.
This commit:
- Removes the isPasskeySession gate on the inline-TOTP-setup divert so it fires for any session satisfying session-AAL2 without account 2FA (fresh passkey ceremony or cached passkey session).
- SigninCached forwards accountHasTotp from the cached-signin response (totpIsActive) so the divert runs on the cached path.
- Adds a unit case for the cached (non-ceremony) divert plus functional tests for the cached passkey AAL2 session with and without TOTP.