[RESOLVED]
The POST's Set-Cookie came back as ["cookie1", "cookie2", "cookie3"] — a Ruby array printed as literal text into a single header instead of three separate Set-Cookie: lines. That's the Rack 3 convention (multiple cookies handed to the app server as an array) being mishandled by an app server that predates Rack 3 support. Browsers salvaged the first fragment and silently discarded the rest — including the session cookie, leading to this error, which appeared in older branches too.
Thanks to everyone who reached out and helped.