# Frontend Boundary

- This repository hosts a React edge application for a single BFF.
- Frontend data access flows through `src/api/*` adapter modules.
- The UI does not access DAL or internal services directly.
- Route shell and protected sections are session-aware via Thalos session endpoints.
- The app is the central login shell for `auth.dream-views.com` and only redirects to allowlisted return hosts.

## Runtime Base URLs

- `API_BASE_URL` for business BFF calls.
- `THALOS_AUTH_BASE_URL` for session login/refresh/logout/me.
- `THALOS_DEFAULT_RETURN_URL` as the fallback post-login destination.
- `THALOS_ALLOWED_RETURN_HOSTS` as the return-url allowlist.
- `THALOS_DEFAULT_TENANT_ID` as login context default.

## Protected Workflow Endpoints

- `POST /api/identity/session/login`
- `POST /api/identity/session/refresh`
- `POST /api/identity/session/logout`
- `GET /api/identity/session/me`

## UI Workflow Coverage

- Google OIDC start-link generation with `returnUrl` and `tenantId`
- Session me/profile inspection
- Session refresh
- Session logout
- Safe fallback when request return host is not allowlisted