Because:
- Post-authentication navigation was scattered across leaf handlers, making
routing hard to reason about and inconsistent across integration types
(plain web, Sync, Firefox-non-sync, OAuth web, OAuth native).
This commit:
- Adds a hand-rolled funnel state machine (funnelReducer) plus pure routing
functions that own the post-auth destination decision, while legacy leaf
handlers keep performing the side effects (no double execution).
- Gates all behavior behind a tri-state authStateMachine override
(?authStateMachine=true|false forces on/off, absent falls back to config).
- Routes sign-in, post-signup-confirmation, reset-password (post-OTP decision,
recovery-choice, completion handoff), the Settings AAL2 access guard and the
InlineTotpSetup post-setup redirect through the machine.
- Adds exhaustive Playwright E2E coverage under tests/authMachine/ spanning all
integration types for sign-in, sign-up, reset, TOTP, unblock (FXA-12084),
the AAL2 guard and the off-switch, plus unit coverage of the routing rules.
- Makes the TOTP-setup page-object helper recovery-phone-availability aware so
the recovery-method chooser is skipped when it is unavailable.