The marketplace checkout login surface diverged from the canonical
Sovereign wizard sign-in (console.openova.io/sovereign/wizard) on two
fronts. (1) Continue-with-Google was still rendered above an "or use
email" divider — founder wants email + PIN only. (2) The 6-digit PIN
row used 6 separate <input maxlength=1> boxes; paste only worked after
clicking inside a box first because no input was focused when verify
mounted.
Port the canonical PinInput6 (products/catalyst/bootstrap/ui/src/
components/PinInput6.tsx) to Svelte 5 — one hidden <input maxlength=6>
overlaid on 6 decorative boxes, auto-focused on mount AND on
visibilitychange + window focus. Paste-anywhere just works, mobile
SMS one-time-code suggestion still routes to the focused input.
Drop the inline ~80 LOC PIN handlers (codeDigits / codeRefs /
focusBox / setDigitAt / onDigitInput / onDigitKeyDown / onDigitPaste)
in favour of the new component. Remove the Google button, divider,
handleGoogleAuth / handleGoogleCallback, and the google_auth=1
URL-param $effect. Strip getGoogleAuthUrl / googleCallback from
imports. Simplify auth/callback.astro to a passive redirect to
/checkout — the route stays alive in case any old Google-issued
redirect URI fires.
API surface unchanged: /api/auth/magic-link + /api/auth/verify already
work as a PIN flow, only the UI shell changes. api.ts Google exports
are kept (dead code, but no backend coupling churn).
Co-authored-by: hatiyildiz <hatice@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cb1b7ab5a1