Parent initiative: #287
Summary
Implement authenticated session handling for the commerce admin and guard routes so business users and technical users only reach operator console surfaces allowed by the API.
Acceptance criteria
- Login, logout, token refresh or restoration, and expired-session flows are visible and recoverable without direct service calls.
- Protected routes redirect unauthenticated users and preserve intended return destinations after successful authentication.
- Authorization failures from GraphQL responses render permission states rather than generic crashes.
- Session state is shared by the shell, context switcher, and catalog operations without leaking credentials to logs or URLs.
- Unit, component, and route-level tests cover authenticated, unauthenticated, expired, and unauthorized states.
Architecture note
gitstore-admin remains an optional add-on and consumes gitstore-api; it must not talk directly to gitstore-git-service.
Parent initiative: #287
Summary
Implement authenticated session handling for the commerce admin and guard routes so business users and technical users only reach operator console surfaces allowed by the API.
Acceptance criteria
Architecture note
gitstore-adminremains an optional add-on and consumesgitstore-api; it must not talk directly togitstore-git-service.