fix: remove vendorCode from vendor API paths

Vendor API endpoints use JWT authentication, not URL path parameters. The vendorCode should only be used for page URLs (navigation), not API calls. Fixed API paths in 10 vendor JS files: - analytics.js, customers.js, inventory.js, notifications.js - order-detail.js, orders.js, products.js, profile.js - settings.js, team.js Added architecture rule JS-014 to prevent this pattern from recurring. Added validation check _check_vendor_api_paths to validate_architecture.py. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-02 21:49:24 +01:00
parent c87bdfa129
commit 34d115dc58
12 changed files with 131 additions and 43 deletions
--- a/.architecture-rules/frontend.yaml
+++ b/.architecture-rules/frontend.yaml
@@ -131,6 +131,42 @@ javascript_rules:
        - "init-alpine.js"
        - "login.js"

+  - id: "JS-014"
+    name: "Vendor API calls must not include vendorCode in path"
+    severity: "error"
+    description: |
+      Vendor API endpoints use JWT token authentication, NOT URL path parameters.
+      The vendor is identified from the JWT token via get_current_vendor_api dependency.
+
+      Do NOT include vendorCode in API paths for authenticated vendor endpoints.
+
+      WRONG (vendorCode in API path):
+        apiClient.get(`/vendor/${this.vendorCode}/orders`)
+        apiClient.post(`/vendor/${this.vendorCode}/products`, data)
+
+      RIGHT (no vendorCode, uses JWT):
+        apiClient.get(`/vendor/orders`)
+        apiClient.post(`/vendor/products`, data)
+
+      EXCEPTIONS (these endpoints DO use vendorCode in path):
+        - /vendor/{vendor_code} - Public vendor info (info.router)
+        - /vendor/{vendor_code}/content-pages/* - Content pages management
+        - Page URLs (not API calls) like window.location.href = `/vendor/${vendorCode}/...`
+
+      Why this matters:
+      - Including vendorCode causes 404 errors ("/vendor/wizamart/orders" not found)
+      - The JWT token already identifies the vendor
+      - Consistent with the API design pattern
+    pattern:
+      file_pattern: "static/vendor/js/**/*.js"
+      anti_patterns:
+        - "apiClient\\.(get|post|put|delete|patch)\\s*\\(\\s*`/vendor/\\$\\{this\\.vendorCode\\}/(orders|products|customers|inventory|analytics|dashboard|profile|settings|team|notifications|invoices|payments|media|marketplace|letzshop|billing|features|usage)"
+      exceptions:
+        - "init-alpine.js"
+        - "login.js"
+        - "content-pages.js"
+        - "content-page-edit.js"
+
  - id: "JS-007"
    name: "Set loading state before async operations"
    severity: "warning"