# Frontend Boundary

- This repository hosts the central identity web surface for Thalos.
- Frontend data access flows through `src/api/*` adapter modules.
- The UI does not access DAL or internal services directly.
- Route shell uses Ant Design layout/menu and keeps session workspace behind session checks.
- Callback handling validates OIDC query states and normalizes return paths to same-origin routes.

## Runtime Base URLs

- `API_BASE_URL` for business BFF calls.
- `THALOS_AUTH_BASE_URL` for session and OIDC endpoints.
- `THALOS_DEFAULT_RETURN_URL` for callback fallback.
- `THALOS_DEFAULT_TENANT_ID` for OIDC tenant defaults.

## Protected Workflow Endpoints

- `GET /api/identity/oidc/google/start`
- `GET /api/identity/oidc/google/callback`
- `POST /api/identity/session/login`
- `POST /api/identity/session/refresh`
- `POST /api/identity/session/logout`
- `GET /api/identity/session/me`

## UI Workflow Coverage

- Central login launch (Google OIDC start)
- Callback processing and error rendering
- Session workspace verification and snapshot reload
- Manual dev/test session login fallback