- wire legacy schema checks to live OleDb inspection and durable history
- harden schema baseline parsing and add constraint drift detection
- authenticate admin schema API calls from the client
- add release-gate workflow for legacy schema validation
- add extension-record save path with pre-save legacy link validation
- add link ambiguity detection, provider coverage reporting, and nightly integrity scheduler
- mark stories 1.7 and 1.8 done after review fixes

React StrictMode's double-invocation of useEffect caused the first run to
remove oidcStateStorageKey from sessionStorage before the async code exchange
began. The second run would see the missing state, throw, and display
"Authentication failed" — while the first run completed in the background
(storing tokens and replacing the URL), making a page refresh appear to work.

Introduces a module-scope Promise (pendingCallbackSequence) that covers the
full callback sequence: token exchange, session fetch, and URL navigation. The
second effect run shares the same Promise and awaits its result, so no re-
validation or re-fetching occurs, and only the non-cancelled run sets state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>