Before shipping it, separate protocol facts, product promises, and operating cost. Mixing those layers produces confident but incorrect decisions. Connection is not permanent permission for every feature. Persist base-session trust while requesting and revoking sensitive capabilities separately.
A product loop covers start, wait, cancel, failure, recovery, and re-entry while automation obeys the user’s latest explicit choice. Metrics measure task outcomes rather than button clicks.
The parts that make the design practical
This capability crosses clients, networks, and servers, so a local optimization can create a system failure. Decisions must constrain both endpoints, persisted truth, and operating budgets together.
- Show alias, short fingerprint, and requested capability on first contact, default-deny strangers, silently restore the same trusted key, and highlight new scope.
- Give state one owner, a version, and terminal states; callbacks may mutate only the version that created them.
- Ship conservative defaults, server-side ceilings, and a rollout switch instead of trusting browser-provided numbers as resource budgets.
The delivery standard for Connection Consent That Blocks Harassment Without Repeated Prompts is a usable normal path, convergent failures, bounded resources, and a state users can understand. The result is a production capability that can be explained, degraded safely, and rolled back—not a demo that works once.
Keep false assumptions out of production
Production failures often appear when two individually valid actions overlap. Inspect stale messages, duplicate effects, exhausted resources, and mixed versions instead of patching only the current stack frame.
- Auto-accept by device name allows impersonation, endless prompts after refusal enable harassment, and permanent block without recovery punishes mistakes.
- Fixing only the UI leaves queues, locks, or expired credentials for the next operation to inherit and fail again.
- User or task IDs in metric labels create high-cardinality cost and leak unnecessary identity into diagnostics.
What the release gate should inspect
A release gate combines deterministic regression, randomized timing, and real browser pairs. Preserve the seed and state trace from every failure as a permanent replay case.
- Build a matrix for unknown, TOFU, verified, changed key, new scope, refusal cooldown, and unblock; both peers must agree on identity and authorization.
- Disconnect, change networks, and recover mid-operation; reconcile endpoint state, persistence, and resource counts.
- Before release, record success rate, p50/p95/p99 latency, error classes, and resource high-water marks with explicit rollback thresholds.
A capability becomes maintainable when it degrades safely, repetition adds no side effects, and its signals reveal a fault before user reports do.