feat(web): add protected session shell and mvp workflows

docs/architecture/frontend-boundary.md

@@ -4,6 +4,17 @@
 - Frontend data access flows through `src/api/*` adapter modules.
 - The UI does not access DAL or internal services directly.
 - Route shell and protected sections are session-aware via Thalos session endpoints.
-- Runtime base URLs:
-  - `API_BASE_URL` for business BFF calls.
-  - `THALOS_AUTH_BASE_URL` for session login/refresh/logout/me.
+
+## Runtime Base URLs
+
+- `API_BASE_URL` for business BFF calls.
+- `THALOS_AUTH_BASE_URL` for session login/refresh/logout/me.
+
+## Protected Workflow Endpoints
+
+- `GET /api/furniture/{furnitureId}/availability`
+
+## UI Workflow Coverage
+
+- Furniture availability lookup
+- Protected quick-reload actions for recent furniture ids

docs/runbooks/testing.md

@@ -14,9 +14,9 @@ npm run test:ci
 
 ## Coverage Scope
 
-- `src/api/client.test.ts`: runtime-config precedence and fallback behavior
-- `src/api/dashboardApi.test.ts`: endpoint path/query contract generation
-- `src/App.test.tsx`: render baseline and mocked load flow
+- `src/api/client.test.ts`: runtime-config precedence and fallback behavior.
+- `src/api/dashboardApi.test.ts`: endpoint path/query composition and payload mapping.
+- `src/App.test.tsx`: protected-route render and workflow trigger behavior.
 
 ## Notes
 

src/App.test.tsx

@@ -1,31 +1,60 @@
 import { fireEvent, render, screen, waitFor } from '@testing-library/react';
-import { describe, expect, it, vi } from 'vitest';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('./api/sessionApi', () => ({
+  getSessionMe: vi.fn(),
+  loginSession: vi.fn(),
+  refreshSession: vi.fn(),
+  logoutSession: vi.fn()
+}));
 
 vi.mock('./api/dashboardApi', () => ({
   loadDashboard: vi.fn()
 }));
 
 import { loadDashboard } from './api/dashboardApi';
+import { getSessionMe, loginSession } from './api/sessionApi';
 import App from './App';
 
-describe('App', () => {
-  it('renders baseline page', () => {
-    render(<App />);
-
-    expect(screen.getByRole('heading', { name: 'Furniture Web' })).toBeInTheDocument();
-    expect(screen.getByRole('button', { name: 'Load' })).toBeInTheDocument();
+describe('Furniture App', () => {
+  beforeEach(() => {
+    vi.mocked(loadDashboard).mockReset();
+    vi.mocked(getSessionMe).mockReset();
+    vi.mocked(loginSession).mockReset();
   });
 
-  it('loads dashboard data when user clicks load', async () => {
-    vi.mocked(loadDashboard).mockResolvedValue({ summary: 'ok' });
+  it('requires login when session is missing', async () => {
+    vi.mocked(getSessionMe).mockResolvedValue({ isAuthenticated: false, subjectId: '', tenantId: '', provider: 0 });
+
     render(<App />);
 
-    fireEvent.change(screen.getByRole('textbox'), { target: { value: 'ctx stage28' } });
-    fireEvent.click(screen.getByRole('button', { name: 'Load' }));
+    await waitFor(() => expect(screen.getByRole('button', { name: 'Sign In' })).toBeInTheDocument());
+    fireEvent.click(screen.getByRole('button', { name: 'Sign In' }));
+
+    await waitFor(() => expect(loginSession).toHaveBeenCalledTimes(1));
+  });
+
+  it('loads protected availability data', async () => {
+    vi.mocked(getSessionMe).mockResolvedValue({
+      isAuthenticated: true,
+      subjectId: 'demo-user',
+      tenantId: 'demo-tenant',
+      provider: 0
+    });
+    vi.mocked(loadDashboard).mockResolvedValue({
+      furnitureId: 'FURN-001',
+      displayName: 'Chair',
+      quantityAvailable: 4
+    });
+
+    render(<App />);
+
+    await waitFor(() => expect(screen.getByRole('button', { name: 'Load Availability' })).toBeInTheDocument());
+    fireEvent.click(screen.getByRole('button', { name: 'Load Availability' }));
 
     await waitFor(() => {
-      expect(loadDashboard).toHaveBeenCalledWith('ctx stage28');
-      expect(screen.getByText(/summary/)).toBeInTheDocument();
+      expect(loadDashboard).toHaveBeenCalledWith('FURN-001');
+      expect(screen.getByText(/Chair/)).toBeInTheDocument();
     });
   });
 });

src/App.tsx

@@ -1,41 +1,207 @@
 import { useState } from 'react';
-import { loadDashboard } from './api/dashboardApi';
+import { loadDashboard, type FurnitureAvailabilityResponse } from './api/dashboardApi';
+import { SessionProvider, useSessionContext } from './auth/sessionContext';
+import type { IdentityProvider } from './api/sessionApi';
+
+type RouteKey = 'overview' | 'actions';
 
 function App() {
-  const [contextId, setContextId] = useState('FURN-001');
-  const [payload, setPayload] = useState<unknown>(null);
+  return (
+    <SessionProvider>
+      <FurnitureShell />
+    </SessionProvider>
+  );
+}
+
+function FurnitureShell() {
+  const session = useSessionContext();
+  const [route, setRoute] = useState<RouteKey>('overview');
+  const [furnitureId, setFurnitureId] = useState('FURN-001');
+  const [availability, setAvailability] = useState<FurnitureAvailabilityResponse | null>(null);
+  const [history, setHistory] = useState<FurnitureAvailabilityResponse[]>([]);
   const [error, setError] = useState<string | null>(null);
   const [loading, setLoading] = useState(false);
 
-  const onLoad = async (): Promise<void> => {
+  const loadAvailability = async (targetFurnitureId = furnitureId) => {
     setLoading(true);
     setError(null);
     try {
-      const response = await loadDashboard(contextId);
-      setPayload(response);
+      const response = await loadDashboard(targetFurnitureId);
+      setAvailability(response);
+      setHistory((previous) => [response, ...previous.filter((item) => item.furnitureId !== response.furnitureId)].slice(0, 5));
     } catch (err) {
-      const message = err instanceof Error ? err.message : 'Unknown request error';
-      setError(message);
-      setPayload(null);
+      setError(err instanceof Error ? err.message : 'Unable to load furniture availability.');
     } finally {
       setLoading(false);
     }
   };
 
+  if (session.status === 'loading') {
+    return (
+      <main className="app">
+        <h1>Furniture Web</h1>
+        <p className="muted">Restoring session...</p>
+      </main>
+    );
+  }
+
+  if (session.status !== 'authenticated' || !session.profile) {
+    return (
+      <main className="app">
+        <h1>Furniture Web</h1>
+        <p className="muted">Sign in with Thalos to access furniture operations.</p>
+        {session.error && <div className="alert">{session.error}</div>}
+        <LoginCard />
+      </main>
+    );
+  }
+
   return (
     <main className="app">
       <h1>Furniture Web</h1>
-      <p>React baseline wired to its corresponding BFF via an API adapter module.</p>
-      <div className="row">
-        <input value={contextId} onChange={(event) => setContextId(event.target.value)} />
-        <button type="button" onClick={onLoad} disabled={loading}>
-          {loading ? 'Loading...' : 'Load'}
+      <p className="muted">Availability MVP with protected routes and resilient request handling.</p>
+
+      <section className="card row">
+        <span className="badge">subject: {session.profile.subjectId}</span>
+        <span className="badge">tenant: {session.profile.tenantId}</span>
+        <span className="badge">provider: {providerLabel(session.profile.provider)}</span>
+        <span className="spacer" />
+        <button type="button" className="secondary" onClick={() => void session.refresh()}>
+          Refresh Session
         </button>
-      </div>
-      {error && <p>{error}</p>}
-      <pre>{JSON.stringify(payload, null, 2)}</pre>
+        <button type="button" className="warn" onClick={() => void session.logout()}>
+          Logout
+        </button>
+      </section>
+
+      <section className="card tabs" aria-label="route-shell">
+        <button
+          type="button"
+          className={route === 'overview' ? 'active' : undefined}
+          onClick={() => setRoute('overview')}
+        >
+          Availability
+        </button>
+        <button
+          type="button"
+          className={route === 'actions' ? 'active' : undefined}
+          onClick={() => setRoute('actions')}
+        >
+          Quick Actions
+        </button>
+      </section>
+
+      {session.error && <div className="alert">{session.error}</div>}
+      {error && <div className="alert">{error}</div>}
+
+      {route === 'overview' && (
+        <section className="card col">
+          <div className="row">
+            <label className="col">
+              Furniture Id
+              <input value={furnitureId} onChange={(event) => setFurnitureId(event.target.value)} />
+            </label>
+            <button type="button" onClick={() => void loadAvailability()} disabled={loading}>
+              {loading ? 'Loading...' : 'Load Availability'}
+            </button>
+          </div>
+          <pre>{JSON.stringify(availability, null, 2)}</pre>
+        </section>
+      )}
+
+      {route === 'actions' && (
+        <section className="card col">
+          <strong>Recent lookups</strong>
+          <div className="row">
+            {history.length === 0 && <span className="muted">No lookups yet.</span>}
+            {history.map((item) => (
+              <button
+                key={item.furnitureId}
+                type="button"
+                className="ghost"
+                onClick={() => {
+                  setFurnitureId(item.furnitureId);
+                  void loadAvailability(item.furnitureId);
+                }}
+              >
+                {item.furnitureId} ({item.quantityAvailable})
+              </button>
+            ))}
+          </div>
+          <p className="muted">Use quick actions to repeat common availability checks.</p>
+        </section>
+      )}
     </main>
   );
 }
 
+function LoginCard() {
+  const session = useSessionContext();
+  const [subjectId, setSubjectId] = useState('demo-user');
+  const [tenantId, setTenantId] = useState('demo-tenant');
+  const [provider, setProvider] = useState<IdentityProvider>(0);
+  const [externalToken, setExternalToken] = useState('');
+  const [error, setError] = useState<string | null>(null);
+  const [submitting, setSubmitting] = useState(false);
+
+  const onSubmit = async () => {
+    setSubmitting(true);
+    setError(null);
+    try {
+      await session.login({ subjectId, tenantId, provider, externalToken });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'Login failed.');
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  return (
+    <section className="card col">
+      <div className="grid">
+        <label className="col">
+          Subject Id
+          <input value={subjectId} onChange={(event) => setSubjectId(event.target.value)} />
+        </label>
+        <label className="col">
+          Tenant Id
+          <input value={tenantId} onChange={(event) => setTenantId(event.target.value)} />
+        </label>
+        <label className="col">
+          Provider
+          <select value={String(provider)} onChange={(event) => setProvider(Number(event.target.value) as IdentityProvider)}>
+            <option value="0">Internal JWT</option>
+            <option value="1">Azure AD (simulated)</option>
+            <option value="2">Google (simulated)</option>
+          </select>
+        </label>
+      </div>
+      <label className="col">
+        External Token (optional)
+        <input value={externalToken} onChange={(event) => setExternalToken(event.target.value)} />
+      </label>
+      <button type="button" onClick={() => void onSubmit()} disabled={submitting}>
+        {submitting ? 'Signing In...' : 'Sign In'}
+      </button>
+      {error && <div className="alert">{error}</div>}
+    </section>
+  );
+}
+
+function providerLabel(provider: IdentityProvider): string {
+  if (provider === 0 || provider === '0' || provider === 'InternalJwt') {
+    return 'Internal JWT';
+  }
+
+  if (provider === 1 || provider === '1' || provider === 'AzureAd') {
+    return 'Azure AD';
+  }
+
+  if (provider === 2 || provider === '2' || provider === 'Google') {
+    return 'Google';
+  }
+
+  return String(provider);
+}
+
 export default App;

src/api/dashboardApi.test.ts

@@ -7,12 +7,12 @@ vi.mock('./client', () => ({
 import { getJson } from './client';
 import { loadDashboard } from './dashboardApi';
 
-describe('loadDashboard', () => {
-  it('builds encoded endpoint path and delegates to getJson', async () => {
+describe('furniture dashboard api', () => {
+  it('builds encoded availability endpoint path', async () => {
     vi.mocked(getJson).mockResolvedValue({ ok: true });
 
-    await loadDashboard('demo context/1');
+    await loadDashboard('FURN/001 Demo');
 
-    expect(getJson).toHaveBeenCalledWith('/api/furniture/demo%20context%2F1/availability');
+    expect(getJson).toHaveBeenCalledWith('/api/furniture/FURN%2F001%20Demo/availability');
   });
 });

src/api/dashboardApi.ts

@@ -1,5 +1,11 @@
 import { getJson } from './client';
 
-export async function loadDashboard(contextId: string): Promise<unknown> {
-  return getJson(`/api/furniture/${encodeURIComponent(contextId)}/availability`);
+export type FurnitureAvailabilityResponse = {
+  furnitureId: string;
+  displayName: string;
+  quantityAvailable: number;
+};
+
+export async function loadDashboard(furnitureId: string): Promise<FurnitureAvailabilityResponse> {
+  return getJson<FurnitureAvailabilityResponse>(`/api/furniture/${encodeURIComponent(furnitureId)}/availability`);
 }

src/api/sessionApi.ts

@@ -1,24 +1,26 @@
 import { getJson, getThalosAuthBaseUrl, postJson, postNoContent } from './client';
 
+export type IdentityProvider = 0 | 1 | 2 | string | number;
+
 export type SessionProfile = {
   isAuthenticated: boolean;
   subjectId: string;
   tenantId: string;
-  provider: string;
+  provider: IdentityProvider;
 };
 
 export type SessionLoginRequest = {
   subjectId: string;
   tenantId: string;
   correlationId: string;
-  provider: string;
+  provider: IdentityProvider;
   externalToken: string;
 };
 
 export type SessionLoginResponse = {
   subjectId: string;
   tenantId: string;
-  provider: string;
+  provider: IdentityProvider;
   expiresInSeconds: number;
 };
 

src/auth/sessionContext.tsx

@@ -0,0 +1,120 @@
+import { createContext, type PropsWithChildren, useCallback, useContext, useEffect, useMemo, useState } from 'react';
+import { ApiError } from '../api/client';
+import {
+  getSessionMe,
+  loginSession,
+  logoutSession,
+  refreshSession,
+  type SessionLoginRequest,
+  type SessionProfile
+} from '../api/sessionApi';
+
+export type SessionStatus = 'loading' | 'authenticated' | 'unauthenticated';
+
+type SessionContextValue = {
+  status: SessionStatus;
+  profile: SessionProfile | null;
+  error: string | null;
+  login: (request: Omit<SessionLoginRequest, 'correlationId'> & { correlationId?: string }) => Promise<void>;
+  refresh: () => Promise<void>;
+  logout: () => Promise<void>;
+  revalidate: () => Promise<void>;
+};
+
+const SessionContext = createContext<SessionContextValue | undefined>(undefined);
+
+export function SessionProvider({ children }: PropsWithChildren) {
+  const [status, setStatus] = useState<SessionStatus>('loading');
+  const [profile, setProfile] = useState<SessionProfile | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  const revalidate = useCallback(async () => {
+    try {
+      const me = await getSessionMe();
+      if (me.isAuthenticated) {
+        setProfile(me);
+        setStatus('authenticated');
+      } else {
+        setProfile(null);
+        setStatus('unauthenticated');
+      }
+      setError(null);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 401) {
+        setProfile(null);
+        setStatus('unauthenticated');
+        setError(null);
+        return;
+      }
+
+      const message = err instanceof Error ? err.message : 'Session validation failed.';
+      setProfile(null);
+      setStatus('unauthenticated');
+      setError(message);
+    }
+  }, []);
+
+  useEffect(() => {
+    void revalidate();
+  }, [revalidate]);
+
+  const login = useCallback<SessionContextValue['login']>(
+    async (request) => {
+      setError(null);
+      await loginSession({
+        ...request,
+        correlationId: request.correlationId && request.correlationId.length > 0 ? request.correlationId : createCorrelationId()
+      });
+      await revalidate();
+    },
+    [revalidate]
+  );
+
+  const refresh = useCallback(async () => {
+    setError(null);
+    await refreshSession();
+    await revalidate();
+  }, [revalidate]);
+
+  const logout = useCallback(async () => {
+    setError(null);
+    try {
+      await logoutSession();
+    } finally {
+      setProfile(null);
+      setStatus('unauthenticated');
+    }
+  }, []);
+
+  const value = useMemo<SessionContextValue>(
+    () => ({
+      status,
+      profile,
+      error,
+      login,
+      refresh,
+      logout,
+      revalidate
+    }),
+    [status, profile, error, login, refresh, logout, revalidate]
+  );
+
+  return <SessionContext.Provider value={value}>{children}</SessionContext.Provider>;
+}
+
+export function useSessionContext(): SessionContextValue {
+  const value = useContext(SessionContext);
+  if (!value) {
+    throw new Error('useSessionContext must be used within SessionProvider.');
+  }
+
+  return value;
+}
+
+function createCorrelationId(): string {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID();
+  }
+
+  return `corr-${Date.now()}-${Math.random().toString(16).slice(2)}`;
+}

src/styles.css

@@ -77,6 +77,11 @@ button.warn {
   background: #b91c1c;
 }
 
+button.ghost {
+  background: #e2e8f0;
+  color: #0f172a;
+}
+
 button:disabled {
   cursor: not-allowed;
   opacity: 0.6;
@@ -110,6 +115,26 @@ button:disabled {
   font-weight: 600;
 }
 
+.tabs {
+  display: flex;
+  gap: 0.5rem;
+  flex-wrap: wrap;
+}
+
+.tabs button {
+  background: #dbeafe;
+  color: #1e3a8a;
+}
+
+.tabs button.active {
+  background: #1d4ed8;
+  color: #ffffff;
+}
+
+.spacer {
+  flex: 1;
+}
+
 pre {
   margin: 0;
   background: #0f172a;